January 16, 2017 at 10:17 am #44705
I think I’ve found a (little, but it made me crazy, I spent a lot of hours on it) bug after I upgraded a ZS 3.6.0 to ZS 3.7.0.
On this box I have configurated a “OpenVPN Host-to-LAN VPN with X.509, Kerberos 5 and Radius Authentication” with “X509+password” authentication in order to have RoadWarriors to connect to the LAN while out of office.
– I used connecting from remote with ZS 3.6.0 configuration since months (also the day before upgrading!);
– I did not change anything before/during/after upgrade
– Upgrade process to ZS 3.7.0 process went fine without any error or issue.
But, once remotely after upgrading to ZS 3.7.0, I wasn’t able to reconnect by OpenVPN GUI anymore with “Connection reset, restarting ”, “TCP/UDP: Closing socket” and “SIGUSR1[soft,connection-reset] received, process restarting” messages into log file.
First I thought it was a certificat problem. So (by Remote Desktop from a local server) I renewed (only) users Certificates from Users > [username] > X509 > Revoke and then Renew (validity 3650). But this didn’t fix the problem, also because users Certificates were still valid!
After a lot of test, I decided to compare a different 3.6.0 installation (another customer) with the upgraded to 3.7.0 one. They’re completely identical regarding OpenVPN configuration.
I found a little difference in VPN > Section:
X.509 Configuration > Authentication button. The window is called “Allow the X.509 VPN access with the certificates signed by the following Trusted CAs”.
On the 3.6.0 the only item, the local ZS CA, was checked/ticked, on the 3.7.0 it wasn’t. I could bet it was checked too on (actual) ZS 3.7.0 box before upgrading.
So, I simply check it on ZS 3.7.0 and OpenVPN client started working again.
Next week I will upgrade also the other ZS 3.6.0 box, so I will verify if it is a bug while upgrading or I simply was unlucky with it. But I cannot do it before next week.
I hope this could help somebody else to save time.
Thank you for supporting us and to give me a feedback on it!January 17, 2017 at 6:50 am #54314
Indeed you saved my time: I also got this issue after upgrading from 3.6 to 3.7.
Fixed it ticking the authentication -> trusted CAs item.
Thankyou again!January 17, 2017 at 4:31 pm #54315
So, it’s a bug. I hope Fulvio will fix asap.January 17, 2017 at 8:31 pm #54316
due to the way which the new OpenSSL create the hash of the certificates (MD5 -> SHA1) the Trusted CAs signing the certificates authorized to the X.509 access for VPN and captive portal services have to be flagged again.
Sorry for the inconvenient.
FulvioJanuary 25, 2017 at 9:15 am #54317
will we need to check the flag again after EACH upgrade (also from 3.7 to 3.7.1, for example) or this affected only passing to 3.7.0?January 25, 2017 at 10:17 am #54318
I upgraded 3.7.0 -> 3.7.1 and didn’t need to flag again.
So I would say the issue only affects * -> 3.7.0 upgradeJanuary 27, 2017 at 5:18 pm #54319
I got the same issue… but very strangely not for all my users…
migrating then to 3.7.1 and no issues
You must be logged in to reply to this topic.