UTM: SSL Site to Site VPN Troubleshooting

  • Article ID: 115835
  • Updated: 19 Dec 2013


This article provides information on troubleshooting problems with the SSL Site-to-Site VPN on the Sophos UTM.

Known to apply to the following Sophos product(s) and version(s)


Sophos UTM

Operating systems
Sophos UTM V7, V8, V9

What To Do

General Information & Troubleshooting Tips

The SSL VPN uses a virtual interface called tun# (eg. tun0, tun1) for traffic within the tunnel, so if you experience issues routing traffic over the VPN, you can capture traffic on that interface using TCPdump to assist with troubleshooting. For information regarding using TCPdump, see KB 115343.

SSL VPN logs can be viewed by browsing to Logging & Reporting | View Log Files | Today's Log Files, and clicking on View next to SSL VPN. See the section below for an example of what the logs should look like after a successful establishment of an SSL tunnel. 

If the tunnel is not establishing, the logs should give you an indication as to why. The most common reason is that the certificate the server is using for the tunnel contains invalid information, or has an issuer not trusted by the client UTM. 

You can create new certificates by browsing to Site-to-site VPN | Certificate Management | Certificates, and clicking on New certificate. For VPN certificates, ensure the VPN ID Type is set to Hostname, and ensure the VPN ID matches the hostname the client is using when connecting to the server. For example, if the client connects to vpn.example.com when establishing a VPN connection, ensure that is what is listed under VPN ID. Also, ensure the same hostname (or IP address) is listed under Common Name.

If the logs indicate the issuer certificate could not be verified, you can regenerate it by going to Site-to-site VPN | Certificate Management | Advanced, ensuring the organization/location info is correct, and and clicking on Apply. Note: if you have any remote access VPN users, they will need to re-download the certificate package before they can log back into the UTM.

Example log output from a working tunnel

  1. Example log output from the UTM acting as the server:

    2009:04:06-11:10:35 astaro openvpn[17386]: TCP/UDP: Closing socket
    2009:04:06-11:10:35 astaro openvpn[17386]: TCP/UDP: Closing socket
    2009:04:06-11:10:35 astaro openvpn[17386]: /usr/bin/openvpn_updown.plx down tun0 1500 1556 10.242.2.1 10.242.2.2 init
    2009:04:06-11:10:36 astaro openvpn[17386]: Closing TUN/TAP interface
    2009:04:06-11:10:36 astaro openvpn[17386]: /sbin/ifconfig tun0 0.0.0.0
    2009:04:06-11:10:37 astaro openvpn[17386]: SIGTERM[hard,] received, process exiting
    2009:04:06-11:10:38 astaro openvpn[17555]: OpenVPN 2.1_rc13 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 18 2009
    2009:04:06-11:10:38 astaro openvpn[17555]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    2009:04:06-11:10:38 astaro openvpn[17555]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
    2009:04:06-11:10:38 astaro openvpn[17555]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    2009:04:06-11:10:39 astaro openvpn[17555]: TLS-Auth MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
    2009:04:06-11:10:39 astaro openvpn[17555]: TUN/TAP device tun0 opened
    2009:04:06-11:10:39 astaro openvpn[17555]: /sbin/ifconfig tun0 10.242.2.1 pointopoint 10.242.2.2 mtu 1500
    2009:04:06-11:10:39 astaro openvpn[17555]: /usr/bin/openvpn_updown.plx up tun0 1500 1556 10.242.2.1 10.242.2.2 init
    2009:04:06-11:10:43 astaro openvpn[17555]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
    2009:04:06-11:10:43 astaro openvpn[17578]: Listening for incoming TCP connection on [undef]:443
    2009:04:06-11:10:43 astaro openvpn[17578]: TCPv4_SERVER link local (bound): [undef]:443
    2009:04:06-11:10:43 astaro openvpn[17578]: TCPv4_SERVER link remote: [undef]
    2009:04:06-11:10:43 astaro openvpn[17578]: Initialization Sequence Completed
    2009:04:06-11:10:45 astaro openvpn[17578]: Re-using SSL/TLS context
    2009:04:06-11:10:45 astaro openvpn[17578]: LZO compression initialized
    2009:04:06-11:10:45 astaro openvpn[17578]: Control Channel MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
    2009:04:06-11:10:45 astaro openvpn[17578]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
    2009:04:06-11:10:45 astaro openvpn[17578]: Local Options hash (VER=V4): 'a4f12474'
    2009:04:06-11:10:45 astaro openvpn[17578]: Expected Remote Options hash (VER=V4): '619088b2'
    2009:04:06-11:10:45 astaro openvpn[17578]: TCP connection established with 213.144.15.3:37791
    2009:04:06-11:10:45 astaro openvpn[17578]: TCPv4_SERVER link local: [undef]
    2009:04:06-11:10:45 astaro openvpn[17578]: TCPv4_SERVER link remote: 213.144.15.3:37791
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 VERIFY OK: depth=1, /C=de/L=Stutensee/O=Schiele_Home/CN=Schiele_Home_VPN_CA/emailAddress=xxxx
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 VERIFY OK: depth=0, /C=de/L=Stutensee/O=Schiele_Home/CN=REF_USHBDGEcpM
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 TLS: Username/Password authentication succeeded for username 'REF_dmROSiStoE'
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2009:04:06-11:10:46 astaro openvpn[17578]: 213.144.15.3:37791 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2009:04:06-11:10:47 astaro openvpn[17578]: 213.144.15.3:37791 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

    2009:04:06-11:10:47 astaro openvpn[17578]: 213.144.15.3:37791 [REF_USHBDGEcpM] Peer Connection Initiated with 213.144.15.3:37791

  2. Example log output from the UTM acting as the client:

    2009:04:06-11:21:24 schieleASG openvpn[4393]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).

    2009:04:06-11:21:24 schieleASG openvpn[4393]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    2009:04:06-11:21:24 schieleASG openvpn[4393]: LZO compression initialized
    2009:04:06-11:21:24 schieleASG openvpn[4393]: Control Channel MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
    2009:04:06-11:21:24 schieleASG openvpn[4393]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
    2009:04:06-11:21:24 schieleASG openvpn[4393]: Local Options hash (VER=V4): '619088b2'
    2009:04:06-11:21:24 schieleASG openvpn[4393]: Expected Remote Options hash (VER=V4): 'a4f12474'
    2009:04:06-11:21:24 schieleASG openvpn[4393]: Attempting to establish TCP connection with 91.89.23.142:443 [nonblock]
    2009:04:06-11:21:25 schieleASG openvpn[4393]: TCP connection established with 91.89.23.142:443
    2009:04:06-11:21:25 schieleASG openvpn[4393]: TCPv4_CLIENT link local: [undef]
    2009:04:06-11:21:25 schieleASG openvpn[4393]: TCPv4_CLIENT link remote: 91.89.23.142:443
    2009:04:06-11:21:25 schieleASG openvpn[4393]: VERIFY OK: depth=1, /C=de/L=Stutensee/O=Schiele_Home/CN=Schiele_Home_VPN_CA/emailAddress=xxxx
    2009:04:06-11:21:25 schieleASG openvpn[4393]: VERIFY X509NAME OK: /C=de/L=Stutensee/O=Schiele_Home/CN=astaro.intranet.schiele.local/emailAddress=xxxx
    2009:04:06-11:21:25 schieleASG openvpn[4393]: VERIFY OK: depth=0, /C=de/L=Stutensee/O=Schiele_Home/CN=astaro.intranet.schiele.local/emailAddress=xxxxx
    2009:04:06-11:21:27 schieleASG openvpn[4393]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2009:04:06-11:21:27 schieleASG openvpn[4393]: Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2009:04:06-11:21:27 schieleASG openvpn[4393]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2009:04:06-11:21:27 schieleASG openvpn[4393]: Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2009:04:06-11:21:27 schieleASG openvpn[4393]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    2009:04:06-11:21:27 schieleASG openvpn[4393]: [astaro.intranet.schiele.local] Peer Connection Initiated with 91.89.23.142:443
    2009:04:06-11:21:44 schieleASG openvpn[4393]: TUN/TAP device tun1 opened
    2009:04:06-11:21:44 schieleASG openvpn[4393]: /sbin/ifconfig tun1 10.242.2.6 pointopoint 10.242.2.5 mtu 1500

    2009:04:06-11:21:48 schieleASG openvpn[4393]: Initialization Sequence Completed

  3. Information which is pushed to the client from the server upon establishment of the VPN:

 /var/chroot-openvpn/etc/openvpn/server/REF_XXX: push-reset push "route 192.168.4.0 255.255.255.0" push "setenv-safe remote_network_1 192.168.4.0/24" push "setenv-safe local_network_1 192.168.67.0/24" iroute 192.168.67.0 255.255.255.0 --

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments