Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 6572 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG430 | UTM 9.707-5 | SSL VPN | TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) & TLS Error: TLS handshake failed

Alexander Tarnowski

We use a Sophos SG430 | UTM 9.707-5 for SSL VPN.

It worked flawlessly for the last 9 months. Two days ago we physically moved the hardware appliance to a new server room.

After we powered and booted the UTM again, everything worked fine, except the SSL VPN / OpenVPN Server.

There was no change in configuration, just a physical location change of the hardware appliance.

We have over 130 SSL VPN users and no one can connect currently.

Every user gets the same error message in Sophos SSL VPN Client(OpenVPN Client):

Mon Sep 06 13:03:53 2021 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Oct 30 2018
Mon Sep 06 13:03:53 2021 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
Enter Management Password:
Mon Sep 06 13:03:53 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Sep 06 13:03:53 2021 Need hold release from management interface, waiting...
Mon Sep 06 13:03:54 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'state on'
Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'log all on'
Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'hold off'
Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'hold release'
Mon Sep 06 13:04:42 2021 MANAGEMENT: CMD 'username "Auth" "USERNAME"'
Mon Sep 06 13:04:42 2021 MANAGEMENT: CMD 'password [...]'
Mon Sep 06 13:04:42 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Sep 06 13:04:42 2021 MANAGEMENT: >STATE:1630926282,RESOLVE,,,,,,
Mon Sep 06 13:04:42 2021 UDPv4 link local: [undef]
Mon Sep 06 13:04:42 2021 UDPv4 link remote: [AF_INET]PUBLIC_UTM_WAN_IP:4443
Mon Sep 06 13:04:42 2021 MANAGEMENT: >STATE:1630926282,WAIT,,,,,,
Mon Sep 06 13:05:42 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 06 13:05:42 2021 TLS Error: TLS handshake failed
Mon Sep 06 13:05:42 2021 SIGUSR1[soft,tls-error] received, process restarting
Mon Sep 06 13:05:42 2021 MANAGEMENT: >STATE:1630926342,RECONNECTING,tls-error,,,,,
Mon Sep 06 13:05:42 2021 Restart pause, 2 second(s)
Mon Sep 06 13:05:44 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Sep 06 13:05:44 2021 MANAGEMENT: >STATE:1630926344,RESOLVE,,,,,,
Mon Sep 06 13:05:44 2021 UDPv4 link local: [undef]
Mon Sep 06 13:05:44 2021 UDPv4 link remote: [AF_INET]PUBLIC_UTM_WAN_IP:4443
Mon Sep 06 13:05:44 2021 MANAGEMENT: >STATE:1630926344,WAIT,,,,,,
Mon Sep 06 13:06:44 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 06 13:06:44 2021 TLS Error: TLS handshake failed
Mon Sep 06 13:06:44 2021 SIGUSR1[soft,tls-error] received, process restarting

The UTM OpenVPN Log shows:

2021:09:06-15:43:43 utm openvpn[16234]: USER_IP:51989 TLS: Initial packet from [AF_INET]USER_IP:51989 (via [AF_INET]PUBLIC_UTM_WAN_IP%eth0), sid=a5a756e7 f80faa03
2021:09:06-15:43:50 utm openvpn[16234]: USER_IP:50926 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021:09:06-15:43:50 utm openvpn[16234]: USER_IP:50926 TLS Error: TLS handshake failed
2021:09:06-15:43:50 utm openvpn[16234]: USER_IP:50926 SIGUSR1[soft,tls-error] received, client-instance restarting
2021:09:06-15:43:52 utm openvpn[16234]: USER_IP:63575 TLS: Initial packet from [AF_INET]USER_IP:63575 (via [AF_INET]PUBLIC_UTM_WAN_IP%eth0), sid=c7046edc e96a1244
2021:09:06-15:44:03 utm openvpn[16234]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
2021:09:06-15:44:03 utm openvpn[16234]: MANAGEMENT: CMD 'status -1'

The TLS Error repeats endlessly for all users. Same applies to the Sophos RED Logfile.

One strange thing, which might be source of the problem is, the OpenVPN Logfile shows:

...TLS: Initial packet from... (via [AF_INET]PUBLIC_UTM_WAN_IP%eth0)...

I've compared the logfiles to a OpenVPN logfile before we physically moved the hardware appliance and in that logfile, where the SSL VPN still worked it shows:

...TLS: Initial packet from... (via [AF_INET]PUBLIC_UTM_WAN_IP%eth1)...

eth0 is the default and current LAN interface/Port, while the interface eth1 is default and current WAN Interface/Port.

The certificate authority, server certificate and user certificates are all valid, which i can confirm, when connecting from an internal interface, the SSL VPN connection works, like it did before from the internet.

I've tried to change the interface address from "Remote Access -> SSL -> Settings -> Interface Address" from the default "Any IPv4" to the "WAN Interface address", but this doesn't change anything. The TLS connection still uses the LAN Port/Interface instead of the WAN Port/Interface.

How can I change the OpenVPN Server to use the correct interface, which should be the WAN Interface in this case ?



This thread was automatically locked due to age.
  • 0

    That looks to me like either the wrong cords are plugged in, the ETH designations are switched or backwards, or you have something interfering with the connection.

    That strange thing you are pointing out with eth0 and eth1 switching I usually see when the eth cords are switched.

    OpenVPN has a list of common issues with that error as well: https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Hello Amodin,

    I've double checked that the cords are plugged into the correct places. As for the UTMs WAN interface, it's connected directly to the fiber switch from the ISP, so there could be no interferance from the internal network. Also i've already asked the ISP to check the port on the switch, but from ISP side there's everything okay.

    The issues list from openvpn.net, i've already checked before. None of the listed issues apply to our case:

    -The is no perimeter firewall between the ISP and the Sophos UTM.

    -No blockade by the Sophos Firewall itself, as the vpn connection trials show up on the UTM OpenVPN log.

    -There is no NAT gateway in the way, as we have a direct connection from the UTM to the Internet, using a fixed public IP.

    -The OpenVPN client has the correct public gateway address, as the vpn connection trials show up on the UTM OpenVPN log.

    -No Windows Firewall is blocking, deactivated it for testing purpose.

  • 0 in reply to Alexander Tarnowski

    Hallo Alexander and welcome to the UTM Community!

    When you traceroute to the public IP on the UTM's External interface, do you see what you expected?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML