Cisco VPN Client not route after update 9.409-9

Hi Tomasso,

Does #1 in Rulz give any hints?

Cheers - Bob

This latest update 9.409-9 also caused some issue on my VPN connection. However, I did solve it at last.

This is what I did.

Go to Network Protection - Firewall - Advanced turned off Block invalid packets

Then go to Management - Backup/Restore & restore my configuration to 9.408-4.

I'm not sure what is going wrong with this new firmware 9.409-9 but this is how I solve my VPN connection issue. You may give it a try if still can't get it solve. Hope can help.

Hi Tommaso,

Try the suggestion made by Alex and let us know if that helps. It is reported as a BUG in the latest version under the ID NUTM-6375.

Thanks

Hi bob,

the VPN connection is establishing and I didn’t see error on firewall logs. Everything looks working but i can't ping or browser my network.

I thing that is a bug because I saw other reports in the community with the same issue.

I'll try the suggestion made by Alex and let you know if it works.

Thank you all to your support.

Tommaso

Hi,

I observe same/similar problem.

I am trying to setup Cisco vpn client access between my UTM 9.409-9 (running in a VM on a machine behind a Fritzbox)

and my iPhone S6.

IPSec SA is established but ping traffic is dropped.

When I use use 'cat /proc/net/xfrm_stat' I see the counter 'XfrmInStateProtoError' increasing.

Do you know what that counter means?

I also dumped the traffic following the instructions here:

https://community.sophos.com/kb/de-de/116179

I can see the decrypted icmp packets as expected. Only strange thing in the wireshark analysis:

Under Encapsulating Security Payload I find

         --> 'Authentication Data [incorrect, should be ....]'

I am not sure though whether this is the cause or whether I put the wrong information in field  'Authentication key' of wireshark. The instructions say: 

• Authentication key: enter the preshared key used to encrypt the tunnel. Eg. test

I do not use preshared key. I use certificates. Do you know which value should be used in that case for the Authentication key?

Thanks and BR,
Michael

Hi,

in the meantime I found out where to look for the session authentication keys. I use "ip xfrm state" to read them.

When applying these keys to wireshark the authentication works fine.

So in summary it seems SAs are correct but still traffic is dropped!?

BR,
Michael

Pinging is regulated on the 'ICMP' tab of 'Firewall'.  Note that the "Any" service includes only TCP and UDP.

Cheers - Bob

Hi sachingurung,

I tried the suggestion of Alex whitout any success. In the firewall log I don't see any drop packet from my connection. In the IPSec VPN log I've only seen the following error:

Hi Bob,

I enabled all of the ICMP traffic.

Anyway I guess the decrypted packet is not even reaching the firewall. It is dropped
by IPSec beforehand as indicated (I think) by the xfrm statics counter. 

BR,
Michael

...and one addition: In my VPN setup logs I do not see any Errors.

Thanks & Happy new year,
Michael