Troubleshooting and FAQs for remote access VPN
Troubleshooting
SSL VPN
Traffic doesn't flow through remote access SSL VPN connections after migrating to version 19.5.
Cause
In version 19.0.x and later, on SSL VPN global settings, for Assign IPv4 addresses, you enter a network IP address and subnet rather than an IP range.
Here's an example:
The firewall leases IP addresses to remote access SSL VPN users from the network you configure.
When you migrate to 19.5 and later, the firewall converts the IP range and subnet mask configured in 18.5.x and earlier versions to the subnet value.
However, if you've added a custom IP host for the lease range to the corresponding firewall rules, the host's lease range may not match the migrated subnet. So, traffic may not flow through the remote access SSL VPN connections after you migrate.
Remedy
For the source and destination networks in the corresponding firewall rules, select the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6. See Configure remote access SSL VPN as a split tunnel.
The firewall automatically applies the conversion from IP range to network for these system hosts because it dynamically adds the leased IP addresses to these system hosts when remote users establish connections.
The SSL VPN configuration file is of a 0-byte file size.
The issue may occur because of incomplete certificate or CA configurations or other reasons.
Do as follows:
- Make sure you've correctly configured the signing CA. By default, the server certificate uses ApplianceCertificate, and its CA is Default CA.
- Regenerate the certificate generated from this CA.
- Users must download and install the SSL VPN configuration (
.ovpn) file again.
IPsec
The following error appears: Failed to validate certificate.
Cause
The Sophos Connect Client configuration uses a third-party certificate.
On Remote access VPN > IPsec, when you set the local certificate to ApplianceCertificate or any locally-signed certificate and set the remote certificate to a third-party certificate, the client imports the connection and establishes a connection the first time. The error message appears when users try to connect after the endpoint or the Sophos Connect client restart.
The error appears when the same CA hasn't signed the local and remote certificates.
Remedy
Do one of the following:
- Set self-signed certificates generated on the firewall or those signed by the same third-party CA as the local and remote certificates.
- If you use third-party certificates, upload the signing CA to the firewall.
- Alternatively, use a preshared key for IPsec remote access connections.
MFA causes remote access IPsec tunnels to go down.
During phase 1 IKEv1 rekeying, remote access IPsec tunnels go down when an OTP request is made.
The default IPsec profile's rekey interval is implemented as approximately four hours.
If you want to prevent the disruption, create a custom IPsec profile with a longer rekey interval of up to 24 hours.
SSL VPN and IPsec
Unable to authenticate some users.
Check if the username has umlaut, UTF-8, or UTF-16 characters. Currently, the Sophos Connect client doesn't support these. It only supports ASCII characters.
FAQs
Basic FAQs
Can I establish remote access IPsec and SSL VPN tunnels on Windows, macOS, and mobile platforms?
See the following table for VPN clients and configurations for the supported endpoint platforms:
| Endpoint OS | IPsec | SSL VPN |
|---|---|---|
| Windows | Sophos Connect client
| Sophos Connect client
|
| macOS | Sophos Connect client
| Third-party client
|
| Android | Third-party client
| Third-party client
|
| iOS | No client required. Download configuration from user portal. | Third-party client
|
Provisioning file
SSL VPN connections are established on gateways that aren't configured in the provisioning (.pro) file.
The Sophos Connect client only uses the gateways entered in the .pro file to connect to the user portal and fetch the remote access VPN configurations. These gateways aren't used for establishing VPN connections.
IPsec: Tunnels are established using the interface you select in the configuration.
SSL VPN: Tunnels are established over the interfaces configured on Network > Interfaces if you've allowed SSL VPN from their zones (Administration > Device access > Local service ACL). These are listed in the .ovpn file.
To use the public IP address or a specific IP address for SSL VPN, go to SSL VPN global settings and enter it in Override hostname. See SSL VPN global settings.
How can I use the provisioning and configuration files if the firewall is behind a router?
Provisioning file: Enter the FQDN or public IP address of the router. Configure the router's DNAT settings to forward the traffic to the firewall.
IPsec: In the .scx file, manually change the gateway address to the router's WAN IP address, then configure the router's settings.
SSL VPN: On SSL VPN global settings, set Override hostname to the public FQDN or the router's WAN IP address, then configure the router's settings.
When should users manually import IPsec and SSL VPN configuration changes to the Sophos Connect client?
IPsec: Users must click Edit connection 
on the Sophos Connect client, click Update policy, and download the configuration from the user portal.
SSL VPN: For changes to the port, protocol, gateway, and SSL server certificate on SSL VPN global settings, users must click Update policy in the client. See When SSL VPN users must download the configuration again.
If you use the .pro file, it automatically fetches some SSL VPN configuration updates. Alternatively, reinstall the .pro file on users' endpoints to fetch the IPsec and SSL VPN configurations again.
Untrusted certificate error appears when the provisioning file is used.
The error appears if you use the firewall's default certificate for the web admin console and the user portal (Administration > Admin and user settings). The .pro file connects to the user portal to fetch the VPN configurations resulting in the error because the default certificate's private.
Multi-factor authentication
How do I implement MFA for remote access VPN users?
Go to Authentication > Multi-factor authentication and configure MFA. See Configure MFA with an authenticator app
Make sure you select the following:
- User portal
- SSL VPN remote access
- IPsec remote access
How do I implement an independent input field for OTP in the Sophos Connect client?
To show the third input field, do as follows:
- IPsec: Go to Remote access > IPsec. Under Advanced settings, select Prompt users for 2FA token and click Apply.
-
IPsec and SSL VPN: Set the following values in the provisioning file:
- otp:
true - 2fa:
1
- otp:
Does Sophos Connect client support challenge-based MFA?
No. Currently, the Sophos Connect client doesn't support OTP challenge. It sends the password and OTP details in passwordotp format to the authentication server. So, when the authentication server sends an OTP challenge, it doesn't receive the OTP alone, and authentication doesn't take place.
The Sophos Connect client supports Call and Push-based MFA. The user portal and web admin console support challenge-based MFA in addition to these.
Remote access IPsec
Can I establish remote access IPsec connections on more than one WAN interface?
Currently, you can only establish remote access IPsec connections on a single WAN interface.
Remote access SSL VPN
Why can't I add subnets smaller than /24 in SSL VPN global settings?
The firewall runs SSL VPN tunnels in multiple instances, depending on the number of CPUs in the model. Each instance creates a tun0 interface, which requires an independent subnet for routing and internal traffic distribution.
The firewall automatically slices subnets from the configured network address and subnet and assigns them to the tun0 interfaces. Smaller subnets, such as /25 and smaller, result in fewer IP addresses for lease.
For example, a 192.168.0.0/27 network in a firewall with eight concurrent instances has a single leasable IP address after assigning the subnets to the eight tun0 interfaces.