Sophos XG Firewall: Troubleshooting 0 Byte SSL VPN File

Special thanks to  ,  ,  , and 

Disclaimer: This information is posted as-is and the content should be referenced at your own risk.


Hi Community,

In certain user situations, the SSL VPN Client download may incorrectly be presented as a 0 byte download from the User Portal.

This Community post outlines several troubleshooting suggestions.

Ensure the default / custom CA details are properly configured

  • Is a custom CA being used?
    • If so, does the issue occur if the default self-signed certificate is used instead?

If using the default self-signed certificate resolves the issue, please verify the custom CA is properly assembled (proper signing CA, etc.)

User Certificate Generation is failing

To regenerate an individual user's SSL VPN certificate, you will have to navigate on the XG GUI and delete their user certificate (Certificates > Certificates)

    • Their user certificate will then be regenerated the next time the user signs into the XG User Portal and downloads their SSL VPN Configuration.

If you are still experiencing issues, you can regenerate the Default CA by navigating to Certificates > Certificate Authorities
This will force the regeneration of all SSL VPN user certificates and will also restart the SSL VPN service.

Note: that if any of these actions are performed, affected users will have to re-download their SSL VPN installation file to utilize the new certificate.

Check the /tmp partition on device

Navigate to the /tmp partition and investigate if the following SSL VPN files are present

  • # cd tmp
  • # cd /content/sslvpn
  • # ls
    • Confirm if the following SSL VPN files are present in /content/sslvpn:
    • rw-rr- 1 1000 100 413 Apr 24 2015 client-config-template.ovpn
    • rw-rr- 1 1000 100 111.1K Jun 17 19:35 ssl-vpn-config-installer.exe
    • rw-rr- 1 1000 100 1.4M Jun 17 19:35 ssl-vpn-client-installer.exe
    • rw-rr- 1 1000 100 72 Jun 17 19:49 U2DVERSION

If files are not present, try to manually update patterns for SSL VPN Module

  • If patterns fail to update, please contact Sophos Support

Check if the /tmp partition is full

  • # df –h
    • If full, please content Sophos Support for further assistance

Update the device’s patterns

 

Regards,

  • Hello,

    the /content/sslvpn is not at /tmp you can find it at / (/content/sslvpn).

    On one of our Sophos XG the symlink was pointing to /content/sslvpn_1.01/0 and the directory "0" was not present" 

  • Hello,

    Thank you for the guide. It pointed me good direction. In my case, the problem was, that the symbolic link /content/sslvpn was broken. It was pointing to not existing directory /content/sslvpn_1.01/0 and it was supposed to point to /content/sslvpn_1.01/1.0.008/

    Commands to check the symbolic link and fix the issue in Advanced shell:

    Directories with installed Patterns:

    SG310_WP01_SFOS 17.5.14 MR-14-1# ls -ald /content/sslvpn_*/*
    drwxr-xr-x    2 root     0             1024 Jan  2  2020 /content/sslvpn_1.00/1.0.007
    drwxr-xr-x    2 root     0             1024 Nov 26 10:27 /content/sslvpn_1.01/1.0.008
    

    Get where symbolic is pointing if it exists. It should point to one of the directories with installed Patterns, so:

    SG310_WP01_SFOS 17.5.14 MR-14-1# ls -altr /content/sslvpn
    lrwxrwxrwx    1 root     0               29 Nov 26 10:27 /content/sslvpn -> /content/sslvpn_1.01/1.0.008/
    

    In my case, the symbolic link existed, but was not correct:

    SG310_WP01_SFOS 17.5.14 MR-14-1# ls -altr /content/sslvpn
    lrwxrwxrwx    1 root     0               22 Sep 10 20:48 sslvpn -> /content/sslvpn_1.01/0

    To fix this situation, I deleted old symbolic link and created new one:

    SG310_WP01_SFOS 17.5.14 MR-14-1# cd /content/
    SG310_WP01_SFOS 17.5.14 MR-14-1# rm sslvpn
    SG310_WP01_SFOS 17.5.14 MR-14-1# ln -s /content/sslvpn_1.01/1.0.008/ sslvpn

    BTW: The problem with 0Byte SSL VPN File was noticed after switching Cluster from Primary to Auxiliary appliance. The symbolic link was broken just on the appliance that was Auxiliary during Pattern update.     

    I hope this will help to someone.

  • Works fine to me!

    Thank you.

  • Thanks, I did the same problem.

  • This resolved it for me!

  • Thank you. This resolved my problem

  • Thank you!  Almost had Support getting us to regen CA and purge files etc ..