This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM SG230 VPN issue with Client

Hello all, this is my problem. I have SG230 with latest Firmware on in, all rules are fine and routing. I have about 100 clients connected to SG230 via SSL VPN our TPC 443. (vpn.xxxxx.xxxx.com) this is all fine connected and its working. The problem comes like this:

1.Client connects via Sophos App for Windows, to our system (latest App version including config from FW). That is OK. after about 2h, sometimes 1,5h his connection breaks for no reason at all.. he tries to connect, sometimes he can, and sometimes he can't, telling him Username/Password, but that is not true, as nothing is changed, or none has changed his config. After client restarts his PC, he is able to connect again with no problem.. This connection might last for the rest of the day, and could happen, that he connects for about 10 minutes, then gets kicked off. and again and again same thing. After let's say ok connection, he is not able to connect to his VM. but if he restarts his PC and flush his DNS, then he is able.

2. I have users, who never ever had any issues, and they use same config, same routing, under VPN members group. 

3. I have tried, issuing new certificates, Doesn't work. 

4. I have deleted user, created new one, after wile, same problem.

5. We tried changing our UTM 443 port to something else and even protocol, No help, same problem.

6. All users are locally created, and locally managed. (no prefetching is needed)

7. On users side, they are connected with LAN cable direct to ISP box speed 100/50 Mbps. That is not problem, as they are able to connect with no issues.

SOME LOG FORM CLIENT:

020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 TLS: Username/Password authentication deferred for username '
USER
' [CN SET] 2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 2020:03:30-06:56:59 fw1-1 openvpn[11688]: 10.1.1.1:49966 [
USER
] Peer Connection Initiated with [AF_INET]10.1.1.1:49966 (via [AF_INET]10.20.10.246:443) 2020:03:30-06:57:00 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/conf.d/
USER
2020:03:30-06:57:00 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 MULTI_sva: pool returned IPv4=10.14.0.3, IPv6=(Not enabled) 2020:03:30-06:57:00 fw1-1 openvpn[11688]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="USER" variant="ssl" srcip="10.1.1.1" virtual_ip="10.14.0.3" 2020:03:30-06:57:00 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0 2020:03:30-06:57:00 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_807c3af1047878bc62f8f631527843f1.tmp 2020:03:30-06:57:00 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 MULTI: Learn: 10.14.0.3 ->
USER
/10.1.1.1:49966 2020:03:30-06:57:00 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 MULTI: primary virtual IP for
USER
/10.1.1.1:49966: 10.14.0.3 2020:03:30-06:57:01 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 PUSH: Received control message: 'PUSH_REQUEST' 2020:03:30-06:57:01 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 send_push_reply(): safe_cap=940 2020:03:30-06:57:01 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 SENT CONTROL [
USER
]: 'PUSH_REPLY,route-gateway 10.14.0.1,route-gateway 10.14.0.1,topology subnet,ping 10,ping-restart 120,route 10.0.0.0 255.0.0.0,dhcp-option DNS 10.20.10.20,ifconfig 10.14.0.3 255.255.255.0' (status=1) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Connection reset by peer (code=104) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32) 2020:03:30-07:01:30 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49966 write TCPv4_SERVER: Broken pipe (code=32)






AFTER HE CONNECT WITH NO PROBLEM LOG Bellow:







2020:03:30-14:40:06 fw1-1 openvpn[11688]: 10.1.1.1:49853 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2020:03:30-14:40:06 fw1-1 openvpn[11688]: 10.1.1.1:49853 [
USER
] Peer Connection Initiated with [AF_INET]10.1.1.1:49853 (via [AF_INET]10.20.10.246:443) 2020:03:30-14:40:08 fw1-1 openvpn[11688]: USER/10.1.1.1:49853 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/conf.d/
USER
2020:03:30-14:40:08 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49853 MULTI_sva: pool returned IPv4=10.14.0.3, IPv6=(Not enabled) 2020:03:30-14:40:08 fw1-1 openvpn[11688]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="
USER
" variant="ssl" srcip="10.1.1.1" virtual_ip="10.14.0.3" 2020:03:30-14:40:08 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49853 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0 2020:03:30-14:40:08 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49853 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_8ba633e6c2744af44c4139e4450bf9e1.tmp 2020:03:30-14:40:08 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49853 MULTI: Learn: 10.14.0.3 ->
USER
/10.1.1.1:49853 2020:03:30-14:40:08 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49853 MULTI: primary virtual IP for
USER
/10.1.1.1:49853: 10.14.0.3 2020:03:30-14:40:08 fw1-1 openvpn[11688]:
USER
/10.1.1.1:49853 PUSH: Received control message: 'PUSH_REQUEST'


This thread was automatically locked due to age.
  • I can't believe there is NO single person here from SOPHOS, or outside VPN experts, to answer this question, wow... surprised.

  • Hello Gordon,

    I can’t answer but I recommend to open a ticket at Sophos Support. I heard something similar from one user at my site but didn’t examine that till now because the problem seemed to vanished. So if you got a solution I would be interested too.
    Did you look in IPS log? Maybe there’s something related.

    Best regards 

    Alex 

    -

  • Hallo Gordan and welcome to the UTM Community!

    Did you get an answer from Sophos Support?

    I just tried to figure this out but didn't know what to do with the documentation you provided.  If you still need help, please show a portion of the UTM's SSL VPN log where the disconnect occurred for one client and tell us the IP and username of the client so that we can ignore lines related to other active users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am not quite certain about your problem since you mention this only happening to the same user over again and not to any other users.

    Usually broken pipe message could indicate the load on the VPN-server is too high (at a given point in time), but that should randomly impact other users too. This might therefore be an issue on the specific client's computer. Did you try exchanging this computer with another?

    Also you could try to change from TCP to UDP. This will improve speed and UDP is not connection oriented like TCP is, so if a packet comes in a bit too late it wouldn't harm too much. However there are some downsides to this -> Everyone must get a new VPN-config and on some remote locations access to UDP ports might be blocked whereas TCP443 is usually open.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.