Android with OpenVPN + UTM9 - No traffic passing

Hi,

I have been using UTM9 as a VPN appliance for years now with no issues until a few months ago when my Android devices can't access the network anymore. They can connect just fine, but traffic is not flowing trough the tunnel. I can't even ping the VPN gateway. On Windows devices everything is working just fine using the Sophos VPN client.

The UTM9 is behind a firewall and the proper ports are opened.

If someone has an idea, because I can't seem to figure it out. I will put the OpenVPN log here if it helps.

Jul 01, 2024, 21:23:50] Session is ACTIVE

[Jul 01, 2024, 21:23:50] Sending PUSH_REQUEST to server...

[Jul 01, 2024, 21:23:50] EVENT: GET_CONFIG

[Jul 01, 2024, 21:23:51] Sending PUSH_REQUEST to server...

[Jul 01, 2024, 21:23:51] OPTIONS:
0 [route] [remote_host] [255.255.255.255] [net_gateway]
1 [route-gateway] [10.10.10.1]
2 [route-gateway] [10.10.10.1]
3 [topology] [subnet]
4 [ping] [10]
5 [ping-restart] [120]
6 [route] [192.168.10.0] [255.255.255.0]
7 [dhcp-option] [DNS] [192.168.10.2]
8 [dhcp-option] [DOMAIN] [domain.home]
9 [ifconfig] [10.10.10.2] [255.255.255.0]
10 [block-ipv6]
11 [block-ipv4]


[Jul 01, 2024, 21:23:51] PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA256
key-derivation: OpenVPN PRF
compress: ANY
peer ID: -1

[Jul 01, 2024, 21:23:51] EVENT: ASSIGN_IP

[Jul 01, 2024, 21:23:51] exception parsing IPv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_exception: error parsing route IP address 'remote_host' : Invalid argument

[Jul 01, 2024, 21:23:51] Connected via tun

[Jul 01, 2024, 21:23:51] LZO-ASYM init swap=0 asym=1

[Jul 01, 2024, 21:23:51] Comp-stub init swap=1

[Jul 01, 2024, 21:23:51] EVENT: CONNECTED info='SOME EMAIL:8443 (PUBLIC IP) via /TCP on tun/10.10.10.2/ gw=[10.10.10.1/] mtu=(default)' trans=TO_CONNECTED

[Jul 01, 2024, 21:23:51] EVENT: COMPRESSION_ENABLED info='Asymmetric compression enabled. Server may send compressed data. This may be a potential security issue.' trans=TO_DISCONNECTED

Thanks,

Top Replies

Vivek Jagad 1 day ago in reply to Costea Adrian +1 verified

Please refer the following - Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices) Sophos UTM: Temporary Fix OpenVPN (3.4.0) Unsupported Options error

0 Vivek Jagad 1 day ago

Hi Costea Adrian ,

Thank you for reaching out to the community, exclude the 'compress' option and re-deploy the config.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Costea Adrian 1 day ago in reply to Vivek Jagad

Hi,

Thanks for getting back.

I have searched the forum before posting and saw that by disabling compression solved the issue to some of the users. Unfortunately the problem still persists on my end, even with compression disabled. To be honest, I just enabled it for testing and got the logs.

I have attached the logs from the UTM appliance just in case you can see something that I don't.

Live Log: SSL VPN
Filter:
Autoscroll
Reload
2024:07:02-10:29:02 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Bad LZO decompression header byte: 251
2024:07:02-10:29:02 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Bad LZO decompression header byte: 251
2024:07:02-10:29:02 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Bad LZO decompression header byte: 251
2024:07:02-10:29:02 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Bad LZO decompression header byte: 251
2024:07:02-10:29:05 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Bad LZO decompression header byte: 251
2024:07:02-10:29:05 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Bad LZO decompression header byte: 251
2024:07:02-10:29:06 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 Connection reset, restarting [0]
2024:07:02-10:29:06 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:54834 SIGUSR1[soft,connection-reset] received, client-instance restarting
2024:07:02-10:29:06 rocljvkrutm openvpn[11962]: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="USERNAME" variant="ssl" srcip="109.166.138.134" virtual_ip="10.10.10.2" rx="6194" tx="4105"
2024:07:02-10:29:06 rocljvkrutm openvpn[11962]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_DISCONNECT status=0
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: TCP connection established with [AF_INET]109.166.138.134:52024 (via [AF_INET]192.168.10.10:8443)
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 TLS: Initial packet from [AF_INET]109.166.138.134:52024 (via [AF_INET]192.168.10.10:8443), sid=d486cb72 6f50a386
CERTIFICATE DETAILS REMOVED FOR PRIVACY
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 TLS: Username/Password authentication deferred for username 'USERNAME' [CN SET]
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 [USERNAME] Peer Connection Initiated with [AF_INET]109.166.138.134:52024 (via [AF_INET]192.168.10.10:8443)
2024:07:02-10:29:28 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 PUSH: Received control message: 'PUSH_REQUEST'
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: 109.166.138.134:52024 PUSH: Received control message: 'PUSH_REQUEST'
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/conf.d/USERNAME
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 MULTI_sva: pool returned IPv4=10.10.10.2, IPv6=(Not enabled)
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="USERNAME" variant="ssl" srcip="109.166.138.134" virtual_ip="10.10.10.2"
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_89ee33fbdc069fbb4c353b7a97171abb.tmp
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 MULTI: Learn: 10.10.10.2 -> USERNAME/109.166.138.134:52024
2024:07:02-10:29:29 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 MULTI: primary virtual IP for USERNAME/109.166.138.134:52024: 10.10.10.2
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 PUSH: Received control message: 'PUSH_REQUEST'
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 send_push_reply(): safe_cap=940
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 SENT CONTROL [USERNAME]: 'PUSH_REPLY,route-gateway 10.10.10.1,route-gateway 10.10.10.1,topology subnet,ping 10,ping-restart 120,route 192.168.10.0 255.255.255.0,dhcp-option DNS 192.168.10.2,dhcp-option DOMAIN vkernel.home,ifconfig 10.10.10.2 255.255.255.0' (status=1)
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:33 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:34 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:34 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:34 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:36 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:37 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:38 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:38 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:38 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Bad LZO decompression header byte: 251
2024:07:02-10:29:39 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 Connection reset, restarting [0]
2024:07:02-10:29:39 rocljvkrutm openvpn[11962]: USERNAME/109.166.138.134:52024 SIGUSR1[soft,connection-reset] received, client-instance restarting
2024:07:02-10:29:39 rocljvkrutm openvpn[11962]: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="USERNAME" variant="ssl" srcip="109.166.138.134" virtual_ip="10.10.10.2" rx="6080" tx="4070"
2024:07:02-10:29:39 rocljvkrutm openvpn[11962]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_DISCONNECT status=0

+1 Vivek Jagad 1 day ago in reply to Costea Adrian

Please refer the following - Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices)
Sophos UTM: Temporary Fix OpenVPN (3.4.0) Unsupported Options error

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Costea Adrian 1 day ago in reply to Vivek Jagad

Thank you,

It is working now, even tough last week I have tested it with compression enabled and didn't work. Nothing changed, so I have no idea why it's working now.

Much appreciate your help.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel