We use a Sophos SG430 | UTM 9.707-5 for SSL VPN.
It worked flawlessly for the last 9 months. Two days ago we physically moved the hardware appliance to a new server room.
After we powered and booted the UTM again, everything worked fine, except the SSL VPN / OpenVPN Server.
There was no change in configuration, just a physical location change of the hardware appliance.
We have over 130 SSL VPN users and no one can connect currently.
Every user gets the same error message in Sophos SSL VPN Client(OpenVPN Client):
Mon Sep 06 13:03:53 2021 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Oct 30 2018 Mon Sep 06 13:03:53 2021 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09 Enter Management Password: Mon Sep 06 13:03:53 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Mon Sep 06 13:03:53 2021 Need hold release from management interface, waiting... Mon Sep 06 13:03:54 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'state on' Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'log all on' Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'hold off' Mon Sep 06 13:03:54 2021 MANAGEMENT: CMD 'hold release' Mon Sep 06 13:04:42 2021 MANAGEMENT: CMD 'username "Auth" "USERNAME"' Mon Sep 06 13:04:42 2021 MANAGEMENT: CMD 'password [...]' Mon Sep 06 13:04:42 2021 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Sep 06 13:04:42 2021 MANAGEMENT: >STATE:1630926282,RESOLVE,,,,,, Mon Sep 06 13:04:42 2021 UDPv4 link local: [undef] Mon Sep 06 13:04:42 2021 UDPv4 link remote: [AF_INET]PUBLIC_UTM_WAN_IP:4443 Mon Sep 06 13:04:42 2021 MANAGEMENT: >STATE:1630926282,WAIT,,,,,, Mon Sep 06 13:05:42 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Sep 06 13:05:42 2021 TLS Error: TLS handshake failed Mon Sep 06 13:05:42 2021 SIGUSR1[soft,tls-error] received, process restarting Mon Sep 06 13:05:42 2021 MANAGEMENT: >STATE:1630926342,RECONNECTING,tls-error,,,,, Mon Sep 06 13:05:42 2021 Restart pause, 2 second(s) Mon Sep 06 13:05:44 2021 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Sep 06 13:05:44 2021 MANAGEMENT: >STATE:1630926344,RESOLVE,,,,,, Mon Sep 06 13:05:44 2021 UDPv4 link local: [undef] Mon Sep 06 13:05:44 2021 UDPv4 link remote: [AF_INET]PUBLIC_UTM_WAN_IP:4443 Mon Sep 06 13:05:44 2021 MANAGEMENT: >STATE:1630926344,WAIT,,,,,, Mon Sep 06 13:06:44 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Sep 06 13:06:44 2021 TLS Error: TLS handshake failed Mon Sep 06 13:06:44 2021 SIGUSR1[soft,tls-error] received, process restarting
The UTM OpenVPN Log shows:
2021:09:06-15:43:43 utm openvpn[16234]: USER_IP:51989 TLS: Initial packet from [AF_INET]USER_IP:51989 (via [AF_INET]PUBLIC_UTM_WAN_IP%eth0), sid=a5a756e7 f80faa03 2021:09:06-15:43:50 utm openvpn[16234]: USER_IP:50926 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2021:09:06-15:43:50 utm openvpn[16234]: USER_IP:50926 TLS Error: TLS handshake failed 2021:09:06-15:43:50 utm openvpn[16234]: USER_IP:50926 SIGUSR1[soft,tls-error] received, client-instance restarting 2021:09:06-15:43:52 utm openvpn[16234]: USER_IP:63575 TLS: Initial packet from [AF_INET]USER_IP:63575 (via [AF_INET]PUBLIC_UTM_WAN_IP%eth0), sid=c7046edc e96a1244 2021:09:06-15:44:03 utm openvpn[16234]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt 2021:09:06-15:44:03 utm openvpn[16234]: MANAGEMENT: CMD 'status -1'
The TLS Error repeats endlessly for all users. Same applies to the Sophos RED Logfile.
One strange thing, which might be source of the problem is, the OpenVPN Logfile shows:
...TLS: Initial packet from... (via [AF_INET]PUBLIC_UTM_WAN_IP%eth0)...
I've compared the logfiles to a OpenVPN logfile before we physically moved the hardware appliance and in that logfile, where the SSL VPN still worked it shows:
...TLS: Initial packet from... (via [AF_INET]PUBLIC_UTM_WAN_IP%eth1)...
eth0 is the default and current LAN interface/Port, while the interface eth1 is default and current WAN Interface/Port.
The certificate authority, server certificate and user certificates are all valid, which i can confirm, when connecting from an internal interface, the SSL VPN connection works, like it did before from the internet.
I've tried to change the interface address from "Remote Access -> SSL -> Settings -> Interface Address" from the default "Any IPv4" to the "WAN Interface address", but this doesn't change anything. The TLS connection still uses the LAN Port/Interface instead of the WAN Port/Interface.
How can I change the OpenVPN Server to use the correct interface, which should be the WAN Interface in this case ?
This thread was automatically locked due to age.