After Upgrade from 17.5 MR13 to MR14 Sophos VPN CLient fails to connect (urgent)

Hi juergenb52 

Thank you for reaching out to the Community! 

Are you able to see the traffic from your public IP address on port 8443 on the firewall? 

Check out the following KBA: Sophos XG Firewall: How to monitor traffic using packet capture utility in the GUI.

Is this issue affecting all the users or only specific users? Have you restarted your workstation after reinstalling the client and config? 

Thanks,

Thanks Patel,

i had my Home Office VPN Client connected to the XG 17.5 MR12 and was connected to my office desktop.
From Office Desktop i upgraded to MR13, it took some time until the upgrade was done and the VPN Client connected againg to MR13.

Next Step was to upgrade to MR14, after 20minutes still no VPN.

MR14 is up and running for most of the rules (i hope).

I did a capture today and Diagnostics with BPF 'dst port 8443' gives two captured packets.

First packet says ... Source IP, Dest IP, Packet, Ports, and ... 

Status: Violation
Reason: Local_ACL

I use VPN on external E1 (WAN).
And i had disabled (Apply) enable (Apply) Local Service ACL in Admin/Device Access -> WAN / SSl VPN

Its not confidence inspiring that a simple Update from Release 1 to Release 2 works for the simplest things in a firewall.

What else can be wrong in a upgrade ...

Thanks

Jürgen

Hi Christian,

Support just restarted the VPN Service from CLI.
But i think a reboot would have done the same.

But you are on 14-1, i tried to upgrade yesterday from MR14 - MR14-1.

This was a desaster, the firewall rebooted and wasn´t seen anymore.
The Firmware upgrade didn´t upgrade the network settings, all NIC settings where at factory defaults.

Please verifiy you NIC settings first, maybe you don´t reach VPN because all is at factory settings.

I reverted to MR14

regards

Jürgen

Hi Jürgen!

Thx!

I tried a restart, but it didn't helped.

I analyzed the OpenVPN log and it seems that it has something to do with the personal certificates.

As Sophos messed the wohle certificate thing when the Comodo / Sectigo Root expired, I think they have changed something on the certificate validation method in MR-14/MR-14-1.

I need to investigate this further.

Regards,

Christian

Hi All,

Any update on this? We have the same issue when I did an upgrade to MR14-1, users cannot connect to ssl vpn.

Hello,

Any update about this problem?

Hello Luana,

Thank you for contacting the Sophos Community!

If you are being affected by this please open a ticket with support for further investigation, Jurgen was able to resolve his issue connecting from a different Client. When opening the ticket please do a drop packet capture and add this to the ticket, also send me the Case ID so I can follow-up!

console > drop-packet-capture 'port 8443' 

Modify the port accordingly to the one you are using.

Regards,

Hello Jayson,

Thank you for contacting the Sophos Community!

If you are being affected by this please open a ticket with support for further investigation, Jurgen was able to resolve his issue connecting from a different Client. When opening the ticket please do a drop packet capture and add this to the ticket, also send me the Case ID so I can follow-up!

console > drop-packet-capture 'port 8443'

Modify the port accordingly to the one you are using.

Regards,

Hi Emmanuel!

It's ridiculous that WE as a customer should do all the work for support.As you can see, the problem is widespread and the solution "to connect from another PC" borders on mockery. How are we going to tell that to the 100 employees? Buy a new PC now and log on from there?
I had opened a support case about this, but the great Indian support just closed the case without a solution. I escalated, but that didn't help either.It's really sad to see that Sophos doesn't care about end users.

Best regards,

Christian

Hi Christian,

Can you provide support ID for your issue?

Regards,

Alok

Hi Luana,

if you have opened support case, can you provide case ID?

Regards,

Alok

Hi Alok,

here is the case number: 03081175

Regards,

Christian

Hi Alok,

here is the case number: 03081175

Regards,

Christian

Hello Christian,

Thank you for the Case ID.

I think there was a misunderstanding, I never said to buy a new computer, rather than he tried from a different computer. 

Checking on the ticket, I can see there was no reply from Sep 4, so the case got closed. I will ask the engineer to open the ticket and reach out to you.

Additionally to this, if you enable Support Access and send me via PM the Access ID, I could create a test user and try to replicate the issue, so I can add this into the ticket to expedite the investigation.

Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.

Regards,

Hi Emmanuel!

That is not correct!
I have answered via eMail on Sep 7th with detailed information regarding this case. Afterwards the case was closed on Sep 10th.

In the meantime I have tested this my self to find asolution and it only doesn't work for existing users!
If I create a new user the new user can connect successful!

But that's no solution. I can't tell all my customers: "We will upgrdade your firmware, but by the way all users need to reinstall the VPN access."

So it has something to do with existing users, which have already used the VPN access.

Please give me a eMail address and I can send you my eMail from Sep 7th.

Best regards, 

Christian

Hi Christian,

i think sophos is not realy testing their release versions. They let the customer do this.

Actually you can tell your customer to do that: We will upgrdade your firmware, but by the way all users need to reinstall the VPN access."

Because if you move to Sophos Connect 2.0, it will do this for you. The user will simple see a "Oh the config seems to be not valid, let me grab you a new config". Done. 

Sophos Connect 2.0 will do the job for you in providing and provisioning the config files (ovpn files) to all users. So such cases wouldnt matter anymore, if this occur a second time. 

I gave up.

I am not willing to do the job from Sophos. They produce one problem with XG after another and we the partners and customers have to pay for it all. We are now evaluating competing products that are stable and secure. The effort we put into each XG release is out of all proportion to the small margin (with the new partner program in general) we get.

Last question in the transition period: Is Sophos Connect 2.0 for SFOS 17.5.x available at all or only for 18.x?

Yes SC 2.0 is available for v17.5 as well. 

@Christian Cigler  we worked on your earlier reported problem over remote session and explained you there was certificate change detected in XG side configuration (COMODO issued cert to self signed) from working/non-working OVPN configuration file you shared. 

Suggested over email to rollback to earlier certificate and try.