We have same problem with only one client like written in:https://community.sophos.com/utm-firewall/f/general-discussion/130081/authenticate-decrypt-packet-error-packet-hmac-authentication-failedAll other colleagues work the whole day without any problem. First we used SSL VPN Client and now Sophos Conncet - nothing changed. I tried it with same ovpn-file like the affected user at my notebook and it works good. In the other thread I do not understand the last post from Amodin because the Cryptographic Settings in Advanced Tab are the same for all users:What could be the problem?
If what I said in the other forum post doesn't apply to you, then it isn't your issue, hence why I stated that's 'usually' the issue. Cipher mismatch is the most common occurrence for that specific error.
Can you post the log entries from the UTM showing when the connect error occurs here (not the log from a client)?
Have you tried deleting the certificate on the client and downloading an updated file? I would do this before anything else.
Is the client a Windows machine or Linux?
UTM - 9.711 | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5
We started with SSL VPN Client and new SSL Profile for 2 users. After problems began we tried to re-install client and ovpn-file, but the error occured again. So we de-install SSL-Client, install Sophos Connect an import ovpn-file from old directory (it wasn´t delete during de-install). After the error persistet, we import new ovpn-file from utm, but the error remains.Both are Win10 client.Client:Thu Jan 06 09:00:28 2022 Authenticate/Decrypt packet error: packet HMAC authentication failedThu Jan 06 09:00:28 2022 Fatal decryption error (process_incoming_link), restartingThu Jan 06 09:00:28 2022 SIGUSR1[soft,decryption-error] received, process restartingThu Jan 06 09:00:28 2022 MANAGEMENT: >STATE:1641456028,RECONNECTING,decryption-error,,,,,Thu Jan 06 09:00:28 2022 Restart pause, 5 second(s)UTM:2022:01:06-09:00:28 srv90076-2 openvpn: username/client-ip-address:62202 Connection reset, restarting [-1]2022:01:06-09:00:28 srv90076-2 openvpn: username/client-ip-address:62202 SIGUSR1[soft,connection-reset] received, client-instance restarting2022:01:06-09:00:28 srv90076-2 openvpn: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="username" variant="ssl" srcip="client-ip-address" virtual_ip="10.242.2.6" rx="24184975" tx="82467787"2022:01:06-09:00:28 srv90076-2 openvpn: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_DISCONNECT status=02022:01:06-09:00:45 srv90076-2 openvpn: TCP connection established with [AF_INET]client-ip-address:55428 (via [AF_INET]ip-address-utm:443)
I think you need a "new" ovpn" configuration, not a new client-software.
Maybe you changed something to the global parameters of your SSL-setup. Then you need to download the new ovpn definition for all users.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Hi Philipp,thanks al lot for your support.Nothing was changed on global ssl parameters.More than 50 other vpn connections work with no error Only two notebooks from a partner have this problem, so I think, the problem is to be found there. They tested from company LAN and "free" internet-connection (DSL home). The opvn configuration from affected users work good at my private notebook.
this seems to be a different issue, then. Looks like a cipher or a config mismatch, like Amodin suggested aleready.
Are you sure, that your partner did not modify his client environment?
For this setup to connect successfully, "tls-crypt" is needed to be enabled, not only "tls-auth".
Connection are possible but chrashes after undefiened time: sometime 10 min, than 30 min, than 20 min and so on.For this setup to connect successfully, "tls-crypt" is needed to be enabled, not only "tls-auth"Where can I find these options?
I think it could be sufficient to have "tls-client" in the partner's client .ovpn configuration file.
BTW: did you turn on "compression" in your server configuration?
Can you turn this OFF for a test, please?
Compression is activated.But now I have no more client for testing because we configured site-to-site vpn - sorry.I see it´s not a simply problem....Many thanks to all for support