Dear Sophos Team,
We are using Sophos UTM vpn to connect our users to the office. I'm experiencing some connection error quite often per day. The log shows the following lines several times:
======================================================
Authenticate/Decrypt packet error: packet HMAC authentication failedFatal decryption error (process_incoming_link), restarting
Wed Sep 08 10:26:39 2021 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Oct 30 2018Wed Sep 08 10:26:39 2021 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09Enter Management Password:Wed Sep 08 10:26:39 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340Wed Sep 08 10:26:39 2021 Need hold release from management interface, waiting...Wed Sep 08 10:26:40 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340Wed Sep 08 10:26:40 2021 MANAGEMENT: CMD 'state on'Wed Sep 08 10:26:40 2021 MANAGEMENT: CMD 'log all on'Wed Sep 08 10:26:40 2021 MANAGEMENT: CMD 'hold off'Wed Sep 08 10:26:40 2021 MANAGEMENT: CMD 'hold release'Wed Sep 08 10:26:53 2021 MANAGEMENT: CMD 'username "Auth" "c.modrok"'Wed Sep 08 10:26:53 2021 MANAGEMENT: CMD 'password [...]'Wed Sep 08 10:26:53 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]Wed Sep 08 10:26:53 2021 MANAGEMENT: >STATE:1631089613,RESOLVE,,,,,,Wed Sep 08 10:26:53 2021 Attempting to establish TCP connection with [AF_INET]62.72.104.227:443 [nonblock]Wed Sep 08 10:26:53 2021 MANAGEMENT: >STATE:1631089613,TCP_CONNECT,,,,,,Wed Sep 08 10:26:54 2021 TCP connection established with [AF_INET]62.72.104.227:443Wed Sep 08 10:26:54 2021 TCPv4_CLIENT link local: [undef]Wed Sep 08 10:26:54 2021 TCPv4_CLIENT link remote: [AF_INET]62.72.104.227:443Wed Sep 08 10:26:54 2021 MANAGEMENT: >STATE:1631089614,WAIT,,,,,,Wed Sep 08 10:26:54 2021 MANAGEMENT: >STATE:1631089614,AUTH,,,,,,Wed Sep 08 10:26:54 2021 TLS: Initial packet from [AF_INET]62.72.104.227:443, sid=9447a531 ae851eacWed Sep 08 10:26:54 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent thisWed Sep 08 10:26:54 2021 VERIFY OK: depth=1, C=lu, L=Munsbach, O=Ethenea, CN=Ethenea VPN CA, emailAddress=licadmin@ethenea.comWed Sep 08 10:26:54 2021 VERIFY X509NAME OK: C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comWed Sep 08 10:26:54 2021 VERIFY OK: depth=0, C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comWed Sep 08 10:26:55 2021 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyWed Sep 08 10:26:55 2021 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Sep 08 10:26:55 2021 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyWed Sep 08 10:26:55 2021 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Sep 08 10:26:55 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAWed Sep 08 10:26:55 2021 [FW-LU-01] Peer Connection Initiated with [AF_INET]62.72.104.227:443Wed Sep 08 10:26:57 2021 MANAGEMENT: >STATE:1631089617,GET_CONFIG,,,,,,Wed Sep 08 10:26:58 2021 SENT CONTROL [FW-LU-01]: 'PUSH_REQUEST' (status=1)Wed Sep 08 10:26:58 2021 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 192.168.102.0 255.255.255.0,route 192.168.12.0 255.255.255.0,route 192.168.101.0 255.255.255.0,route 192.168.103.0 255.255.255.0,route 192.168.104.0 255.255.255.0,route 192.168.105.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.11.0 255.255.255.0,route 172.16.80.0 255.255.255.0,route 192.168.70.0 255.255.255.0,route 192.168.71.0 255.255.255.0,route 192.168.72.0 255.255.255.0,route 192.168.13.0 255.255.255.0,dhcp-option DNS 192.168.12.34,dhcp-option DNS 192.168.12.32,dhcp-option DOMAIN ethna-capital.local,ifconfig 10.242.2.54 255.255.255.0'Wed Sep 08 10:26:58 2021 OPTIONS IMPORT: timers and/or timeouts modifiedWed Sep 08 10:26:58 2021 OPTIONS IMPORT: --ifconfig/up options modifiedWed Sep 08 10:26:58 2021 OPTIONS IMPORT: route options modifiedWed Sep 08 10:26:58 2021 OPTIONS IMPORT: route-related options modifiedWed Sep 08 10:26:58 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedWed Sep 08 10:26:58 2021 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=5 HWADDR=70:5a:0f:46:7b:f6Wed Sep 08 10:26:58 2021 open_tun, tt->ipv6=0Wed Sep 08 10:26:58 2021 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{D2F18D38-D917-4E49-A9FB-27B6015721FA}.tapWed Sep 08 10:26:58 2021 TAP-Windows Driver Version 9.21 Wed Sep 08 10:26:58 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 10.242.2.0/10.242.2.54/255.255.255.0 [SUCCEEDED]Wed Sep 08 10:26:58 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.242.2.54/255.255.255.0 on interface {D2F18D38-D917-4E49-A9FB-27B6015721FA} [DHCP-serv: 10.242.2.254, lease-time: 31536000]Wed Sep 08 10:26:58 2021 Successful ARP Flush on interface [11] {D2F18D38-D917-4E49-A9FB-27B6015721FA}Wed Sep 08 10:26:58 2021 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0Wed Sep 08 10:26:58 2021 MANAGEMENT: >STATE:1631089618,ASSIGN_IP,,10.242.2.54,,,,Wed Sep 08 10:27:02 2021 TEST ROUTES: 14/14 succeeded len=14 ret=1 a=0 u/d=upWed Sep 08 10:27:02 2021 MANAGEMENT: >STATE:1631089622,ADD_ROUTES,,,,,,Wed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 62.72.104.227 MASK 255.255.255.255 192.168.178.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.102.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.12.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.101.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.103.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.104.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.105.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.11.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 172.16.80.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.70.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.71.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.72.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 C:\WINDOWS\system32\route.exe ADD 192.168.13.0 MASK 255.255.255.0 10.242.2.1Wed Sep 08 10:27:02 2021 Route addition via service succeededWed Sep 08 10:27:02 2021 Initialization Sequence CompletedWed Sep 08 10:27:02 2021 MANAGEMENT: >STATE:1631089622,CONNECTED,SUCCESS,10.242.2.54,62.72.104.227,443,192.168.178.40,65174
Beste Regards,
Christian
Our UTM release is 9.707-5
Hallo Christian and welcome to the UTM Community!
Please show us the lines from the UTM's SSL VPN log for the time when the authentication failure occurred.
Cheers - Bob
Hi Bob,
sorry the wrong log file now the right log file. You'll find the Authenticate/Decrypt packet error in bold characters below.
Best Regards,
Mon Sep 13 07:59:40 2021 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Oct 30 2018Mon Sep 13 07:59:40 2021 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09Mon Sep 13 07:59:40 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340Mon Sep 13 07:59:40 2021 Need hold release from management interface, waiting...Mon Sep 13 07:59:41 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340Mon Sep 13 07:59:41 2021 MANAGEMENT: CMD 'state on'Mon Sep 13 07:59:41 2021 MANAGEMENT: CMD 'log all on'Mon Sep 13 07:59:41 2021 MANAGEMENT: CMD 'hold off'Mon Sep 13 07:59:41 2021 MANAGEMENT: CMD 'hold release'Mon Sep 13 08:00:12 2021 MANAGEMENT: CMD 'username "Auth" "c.modrok"'Mon Sep 13 08:00:12 2021 MANAGEMENT: CMD 'password [...]'Mon Sep 13 08:00:13 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]Mon Sep 13 08:00:13 2021 MANAGEMENT: >STATE:1631512813,RESOLVE,,,,,,Mon Sep 13 08:00:13 2021 Attempting to establish TCP connection with [AF_INET]62.72.104.227:443 [nonblock]Mon Sep 13 08:00:13 2021 MANAGEMENT: >STATE:1631512813,TCP_CONNECT,,,,,,Mon Sep 13 08:00:14 2021 TCP connection established with [AF_INET]62.72.104.227:443Mon Sep 13 08:00:14 2021 TCPv4_CLIENT link local: [undef]Mon Sep 13 08:00:14 2021 TCPv4_CLIENT link remote: [AF_INET]62.72.104.227:443Mon Sep 13 08:00:14 2021 MANAGEMENT: >STATE:1631512814,WAIT,,,,,,Mon Sep 13 08:00:14 2021 MANAGEMENT: >STATE:1631512814,AUTH,,,,,,Mon Sep 13 08:00:14 2021 TLS: Initial packet from [AF_INET]62.72.104.227:443, sid=93e813b4 38df2d27Mon Sep 13 08:00:14 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent thisMon Sep 13 08:00:14 2021 VERIFY OK: depth=1, C=lu, L=Munsbach, O=Ethenea, CN=Ethenea VPN CA, emailAddress=licadmin@ethenea.comMon Sep 13 08:00:14 2021 VERIFY X509NAME OK: C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comMon Sep 13 08:00:14 2021 VERIFY OK: depth=0, C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comMon Sep 13 08:00:15 2021 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyMon Sep 13 08:00:15 2021 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Sep 13 08:00:15 2021 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyMon Sep 13 08:00:15 2021 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Sep 13 08:00:15 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAMon Sep 13 08:00:15 2021 [FW-LU-01] Peer Connection Initiated with [AF_INET]62.72.104.227:443Mon Sep 13 08:00:16 2021 MANAGEMENT: >STATE:1631512816,GET_CONFIG,,,,,,Mon Sep 13 08:00:18 2021 SENT CONTROL [FW-LU-01]: 'PUSH_REQUEST' (status=1)Mon Sep 13 08:00:18 2021 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 192.168.102.0 255.255.255.0,route 192.168.12.0 255.255.255.0,route 192.168.101.0 255.255.255.0,route 192.168.103.0 255.255.255.0,route 192.168.104.0 255.255.255.0,route 192.168.105.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.11.0 255.255.255.0,route 172.16.80.0 255.255.255.0,route 192.168.70.0 255.255.255.0,route 192.168.71.0 255.255.255.0,route 192.168.72.0 255.255.255.0,route 192.168.13.0 255.255.255.0,dhcp-option DNS 192.168.12.34,dhcp-option DNS 192.168.12.32,dhcp-option DOMAIN ethna-capital.local,ifconfig 10.242.2.22 255.255.255.0'Mon Sep 13 08:00:18 2021 OPTIONS IMPORT: timers and/or timeouts modifiedMon Sep 13 08:00:18 2021 OPTIONS IMPORT: --ifconfig/up options modifiedMon Sep 13 08:00:18 2021 OPTIONS IMPORT: route options modifiedMon Sep 13 08:00:18 2021 OPTIONS IMPORT: route-related options modifiedMon Sep 13 08:00:18 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedMon Sep 13 08:00:18 2021 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=5 HWADDR=70:5a:0f:46:7b:f6Mon Sep 13 08:00:18 2021 open_tun, tt->ipv6=0Mon Sep 13 08:00:18 2021 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{D2F18D38-D917-4E49-A9FB-27B6015721FA}.tapMon Sep 13 08:00:18 2021 TAP-Windows Driver Version 9.21 Mon Sep 13 08:00:18 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 10.242.2.0/10.242.2.22/255.255.255.0 [SUCCEEDED]Mon Sep 13 08:00:18 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.242.2.22/255.255.255.0 on interface {D2F18D38-D917-4E49-A9FB-27B6015721FA} [DHCP-serv: 10.242.2.254, lease-time: 31536000]Mon Sep 13 08:00:18 2021 Successful ARP Flush on interface [11] {D2F18D38-D917-4E49-A9FB-27B6015721FA}Mon Sep 13 08:00:18 2021 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0Mon Sep 13 08:00:18 2021 MANAGEMENT: >STATE:1631512818,ASSIGN_IP,,10.242.2.22,,,,Mon Sep 13 08:00:22 2021 TEST ROUTES: 14/14 succeeded len=14 ret=1 a=0 u/d=upMon Sep 13 08:00:22 2021 MANAGEMENT: >STATE:1631512822,ADD_ROUTES,,,,,,Mon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 62.72.104.227 MASK 255.255.255.255 192.168.178.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.102.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.12.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.101.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.103.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.104.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.105.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.11.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 172.16.80.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.70.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.71.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.72.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 C:\WINDOWS\system32\route.exe ADD 192.168.13.0 MASK 255.255.255.0 10.242.2.1Mon Sep 13 08:00:22 2021 Route addition via service succeededMon Sep 13 08:00:22 2021 Initialization Sequence CompletedMon Sep 13 08:00:22 2021 MANAGEMENT: >STATE:1631512822,CONNECTED,SUCCESS,10.242.2.22,62.72.104.227,443,192.168.178.40,50406
Mon Sep 13 08:33:02 2021 Authenticate/Decrypt packet error: packet HMAC authentication failedMon Sep 13 08:33:02 2021 Fatal decryption error (process_incoming_link), restarting
Mon Sep 13 08:33:02 2021 SIGUSR1[soft,decryption-error] received, process restartingMon Sep 13 08:33:02 2021 MANAGEMENT: >STATE:1631514782,RECONNECTING,decryption-error,,,,,Mon Sep 13 08:33:02 2021 Restart pause, 5 second(s)Mon Sep 13 08:33:07 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]Mon Sep 13 08:33:07 2021 MANAGEMENT: >STATE:1631514787,RESOLVE,,,,,,Mon Sep 13 08:33:07 2021 Attempting to establish TCP connection with [AF_INET]62.72.104.227:443 [nonblock]Mon Sep 13 08:33:07 2021 MANAGEMENT: >STATE:1631514787,TCP_CONNECT,,,,,,Mon Sep 13 08:33:11 2021 TCP connection established with [AF_INET]62.72.104.227:443Mon Sep 13 08:33:11 2021 TCPv4_CLIENT link local: [undef]Mon Sep 13 08:33:11 2021 TCPv4_CLIENT link remote: [AF_INET]62.72.104.227:443Mon Sep 13 08:33:11 2021 MANAGEMENT: >STATE:1631514791,WAIT,,,,,,Mon Sep 13 08:33:11 2021 MANAGEMENT: >STATE:1631514791,AUTH,,,,,,Mon Sep 13 08:33:11 2021 TLS: Initial packet from [AF_INET]62.72.104.227:443, sid=07ddf319 08cfbc0eMon Sep 13 08:33:11 2021 VERIFY OK: depth=1, C=lu, L=Munsbach, O=Ethenea, CN=Ethenea VPN CA, emailAddress=licadmin@ethenea.comMon Sep 13 08:33:11 2021 VERIFY X509NAME OK: C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comMon Sep 13 08:33:11 2021 VERIFY OK: depth=0, C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comMon Sep 13 08:33:13 2021 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyMon Sep 13 08:33:13 2021 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Sep 13 08:33:13 2021 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyMon Sep 13 08:33:13 2021 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Sep 13 08:33:13 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAMon Sep 13 08:33:13 2021 [FW-LU-01] Peer Connection Initiated with [AF_INET]62.72.104.227:443Mon Sep 13 08:33:14 2021 MANAGEMENT: >STATE:1631514794,GET_CONFIG,,,,,,Mon Sep 13 08:33:15 2021 SENT CONTROL [FW-LU-01]: 'PUSH_REQUEST' (status=1)Mon Sep 13 08:33:15 2021 AUTH: Received control message: AUTH_FAILEDMon Sep 13 08:33:15 2021 SIGUSR1[soft,auth-failure] received, process restartingMon Sep 13 08:33:15 2021 MANAGEMENT: >STATE:1631514795,RECONNECTING,auth-failure,,,,,Mon Sep 13 08:33:15 2021 Restart pause, 5 second(s)Mon Sep 13 08:34:10 2021 MANAGEMENT: CMD 'username "Auth" "c.modrok"'Mon Sep 13 08:34:10 2021 MANAGEMENT: CMD 'password [...]'Mon Sep 13 08:34:10 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]Mon Sep 13 08:34:10 2021 MANAGEMENT: >STATE:1631514850,RESOLVE,,,,,,Mon Sep 13 08:34:10 2021 Attempting to establish TCP connection with [AF_INET]62.72.104.227:443 [nonblock]Mon Sep 13 08:34:10 2021 MANAGEMENT: >STATE:1631514850,TCP_CONNECT,,,,,,Mon Sep 13 08:34:11 2021 TCP connection established with [AF_INET]62.72.104.227:443Mon Sep 13 08:34:11 2021 TCPv4_CLIENT link local: [undef]Mon Sep 13 08:34:11 2021 TCPv4_CLIENT link remote: [AF_INET]62.72.104.227:443Mon Sep 13 08:34:11 2021 MANAGEMENT: >STATE:1631514851,WAIT,,,,,,Mon Sep 13 08:34:11 2021 MANAGEMENT: >STATE:1631514851,AUTH,,,,,,Mon Sep 13 08:34:11 2021 TLS: Initial packet from [AF_INET]62.72.104.227:443, sid=dd3862ba 15b0737eMon Sep 13 08:34:11 2021 VERIFY OK: depth=1, C=lu, L=Munsbach, O=Ethenea, CN=Ethenea VPN CA, emailAddress=licadmin@ethenea.comMon Sep 13 08:34:11 2021 VERIFY X509NAME OK: C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comMon Sep 13 08:34:11 2021 VERIFY OK: depth=0, C=lu, L=Munsbach, O=Ethenea, CN=FW-LU-01, emailAddress=licadmin@ethenea.comMon Sep 13 08:34:13 2021 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyMon Sep 13 08:34:13 2021 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Sep 13 08:34:13 2021 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyMon Sep 13 08:34:13 2021 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Sep 13 08:34:13 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAMon Sep 13 08:34:13 2021 [FW-LU-01] Peer Connection Initiated with [AF_INET]62.72.104.227:443Mon Sep 13 08:34:14 2021 MANAGEMENT: >STATE:1631514854,GET_CONFIG,,,,,,Mon Sep 13 08:34:15 2021 SENT CONTROL [FW-LU-01]: 'PUSH_REQUEST' (status=1)Mon Sep 13 08:34:15 2021 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 192.168.102.0 255.255.255.0,route 192.168.12.0 255.255.255.0,route 192.168.101.0 255.255.255.0,route 192.168.103.0 255.255.255.0,route 192.168.104.0 255.255.255.0,route 192.168.105.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.11.0 255.255.255.0,route 172.16.80.0 255.255.255.0,route 192.168.70.0 255.255.255.0,route 192.168.71.0 255.255.255.0,route 192.168.72.0 255.255.255.0,route 192.168.13.0 255.255.255.0,dhcp-option DNS 192.168.12.34,dhcp-option DNS 192.168.12.32,dhcp-option DOMAIN ethna-capital.local,ifconfig 10.242.2.22 255.255.255.0'Mon Sep 13 08:34:15 2021 OPTIONS IMPORT: timers and/or timeouts modifiedMon Sep 13 08:34:15 2021 OPTIONS IMPORT: --ifconfig/up options modifiedMon Sep 13 08:34:15 2021 OPTIONS IMPORT: route options modifiedMon Sep 13 08:34:15 2021 OPTIONS IMPORT: route-related options modifiedMon Sep 13 08:34:15 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedMon Sep 13 08:34:15 2021 Preserving previous TUN/TAP instance: Ethernet 3Mon Sep 13 08:34:15 2021 Initialization Sequence CompletedMon Sep 13 08:34:15 2021 MANAGEMENT: >STATE:1631514855,CONNECTED,SUCCESS,10.242.2.22,62.72.104.227,443,192.168.178.40,60029
Those are logs from the client, Christian. Please show the log from the UTM for the corresponding time frame. Also, a picture of the 'Advanced' tab in 'SSL VPN'.
Motte said:Mon Sep 13 08:33:02 2021 Authenticate/Decrypt packet error: packet HMAC authentication failed
This is usually when the client and server aren't sharing the same cipher authentications. They need to match, i.e.
cipher AES-256-CBC
The ciphers have to match on both sides.
UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5