This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Solved] SSL VPN - Authentication failure for all users

Hello, all of our users can't connect via SSL VPN since yesterday afternoon.

I tried the connection via the old SSL VPN Client and via the new Sophos Connect client. Both don't work.

I tried it with a new config file from the UTM, no difference.

We have OTP active. I tried to disable it for vpn, still not working.

Interesting tho: The login into the User Portal is possible. It' also only possible without using the OTP; however at [Definitions & User > Authentication Services > One-time Passwords] the box "Enable OTP for facilities" is checked for User Portal.


We're using a SG230, firmware version 9.710-1

The SSL VPN log says:

2022:06:01-08:26:13 utmdo01 openvpn[8222]: ###:30706 SIGUSR1[soft,connection-reset] received, client-instance restarting
2022:06:01-08:26:36 utmdo01 openvpn[8222]: TCP connection established with [AF_INET]###:31929 (via [AF_INET]###:443)
2022:06:01-08:26:36 utmdo01 openvpn[8222]: ###:31929 TLS: Initial packet from [AF_INET]###:31929 (via [AF_INET]###:443), sid=d7b1c8d5 9b5ea7ba
2022:06:01-08:26:39 utmdo01 openvpn[8222]: ###:31929 VERIFY OK: depth=0, C=de, L=###, O=###, CN=username
2022:06:01-08:26:39 utmdo01 openvpn[8222]: ###:31929 VERIFY OK: depth=1, C=de, L=###, O=###, CN=### VPN CA, emailAddress=###@###.de
2022:06:01-08:26:39 utmdo01 openvpn[8222]: ###:31929 VERIFY OK: depth=1, C=de, L=###, O=###, CN=### VPN CA, emailAddress=###@###.de
2022:06:01-08:26:39 utmdo01 openvpn[8222]: ###:31929 VERIFY OK: depth=0, C=de, L=###, O=###, CN=username
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 TLS: Username/Password authentication deferred for username 'username' [CN SET]
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2022:06:01-08:26:41 utmdo01 openvpn[8222]: ###:31929 [username] Peer Connection Initiated with [AF_INET]###:31929 (via [AF_INET]###:443)
2022:06:01-08:26:43 utmdo01 openvpn[8222]: ###:31929 PUSH: Received control message: 'PUSH_REQUEST'
2022:06:01-08:26:43 utmdo01 openvpn[8222]: ###:31929 Delayed exit in 5 seconds
2022:06:01-08:26:43 utmdo01 openvpn[8222]: ###:31929 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
2022:06:01-08:26:44 utmdo01 openvpn[8222]: ###:31929 Connection reset, restarting [0]




The user authentication daemon log says:

2022:06:01-07:45:48 utmdo01 aua[24999]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.20.1.85 (adirectory)"
2022:06:01-07:45:48 utmdo01 aua[24999]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.20.1.85 (ldap)"
2022:06:01-07:45:48 utmdo01 aua[24999]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.20.1.5 (adirectory)"
2022:06:01-07:45:48 utmdo01 aua[24999]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.20.1.5 (ldap)"
2022:06:01-07:45:48 utmdo01 aua[24999]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.20.1.85 (radius)"
2022:06:01-07:45:48 utmdo01 aua[24999]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.111.96" host="" user="username" caller="openvpn" reason="DENIED"
2022:06:01-07:45:48 utmdo01 aua[3906]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 53"




Edit: I created a user locally on the UTM itself and that user can connect via VPN. So it seems like there's an error with the UTM and the AD / LDAP communicating?
However I can use the test example user feature and it says it works...



This thread was automatically locked due to age.
Parents
  • Definitions & Users > Users & Groups > Groups


    Here we had a group that had an AD group linked which told the UTM who was allowed to use the VPN.

    We deleted the active directory group entry and entered it again. After that change it worked again.

Reply
  • Definitions & Users > Users & Groups > Groups


    Here we had a group that had an AD group linked which told the UTM who was allowed to use the VPN.

    We deleted the active directory group entry and entered it again. After that change it worked again.

Children
No Data