10/29/2018 TLS Handshake Failed in SSL VPN access - Management, Networking, Logging and Reporting - Sophos UTM 9 - Sophos

Reporting - Sophos UTM 9 - Sophos Community

TLS Handshake Failed in SSL VPN access

I am receiving this error when trying to connect via SSL VPN to the portal.

2017-11-25 21:52:18 TCPv4_CLIENT link remote: [AF_INET]XX.XX.XX.XX:443

2017-11-25 21:52:18 MANAGEMENT: >STATE:1511668338,WAIT,,,
2017-11-25 21:52:18 MANAGEMENT: >STATE:1511668338,AUTH,,,
2017-11-25 21:52:18 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:443, sid=7273b871 8de32caf
2017-11-25 21:52:18 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=NA, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256
- G2
2017-11-25 21:52:18 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-11-25 21:52:18 TLS_ERROR: BIO read tls_read_plaintext error
2017-11-25 21:52:18 TLS Error: TLS object -> incoming plaintext read error
2017-11-25 21:52:18 TLS Error: TLS handshake failed
2017-11-25 21:52:18 Fatal TLS error (check_tls_errors_co), restarting
2017-11-25 21:52:18 SIGUSR1[soft,tls-error] received, process restarting
2017-11-25 21:52:18 MANAGEMENT: >STATE:1511668338,RECONNECTING,tls-error,,
2017-11-25 21:52:18 MANAGEMENT: CMD 'hold release'

I currently am using a public DNS record on Port 443. I have a CA signed wildcard domain which I'm using
for my VPN certificate. *.domain.com. My VPN is: vpn.domain.com.
I also use this for my portal / reverse proxy and it is verified by browser and a valid certificate.

The above error occurs when I attempt to use this same certificate in my SSL VPN configuration.
If I use a user signed certificate or my self-signed webadmin cert; the SSL connects fine.

Any help is appreciated!

DouglasFoster

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/98279/tls-handshake-failed-in-ssl-vpn-access 1/2
10/29/2018 TLS Handshake Failed in SSL VPN access - Management, Networking, Logging and Reporting - Sophos UTM 9 - Sophos Community

I suggest that you repeat the download of VPN SSL components from the User Portal or Web Admin pages.

SSL VPN should find a client certificate that represents you, one that is issued by UTM under its own VPN CA.   "unable to get issuer
certificate" suggests to me that your user certificate is not found.

Beyond that, I am stumped.  SSL VPN works fine on my configuration, which has always used a public CA for the UTM address.

AH60611

Just to wrap this up for anyone out there who may have this same problem. I was looking over configurations again and went
ahead and regenerated my VPN signing CA. This is under the Advanced tab in UTM 9 of Cert Management.

This resolved the issue and I am no longer having issues connecting!

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/98279/tls-handshake-failed-in-ssl-vpn-access 2/2