Skip to content

Troubleshoot event errors

If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error.

In the following topics, you can see error messages, possible causes for the errors, and information on what to do next. If you experience any issues that aren't listed, see General troubleshooting.

If you need further assistance, contact Sophos Support.

No network connection

If you don't have a network connection, follow these instructions.

Cause

The network adapter (ethernet or Wi-Fi) has no IP address.

Remedy

Check that you have a valid IP address and that your existing network connection is working.

DNS resolution failed

If DNS resolution is failing, follow these instructions.

Cause

The client isn't able to resolve the gateway hostname.

Remedy

  1. Check if a DNS server is assigned to the network interface. If it doesn't resolve, contact your ISP.
  2. Run nslookup from the command prompt (Windows) or the Terminal (macOS) for a public host, such as www.sophos.com, and verify that it resolves to an IP address.
  3. If it doesn't resolve, contact your ISP.
User authentication of <username entered> failed

If you can't authenticate, follow these instructions.

Cause

The username or password didn't match.

Remedy

  1. Retry to see if it was due to user error during input.

    If you retry multiple times and get the same error, the password may have changed or been disabled on the firewall.

    1. In this case, contact your firewall administrator.
Import file contains a duplicate connection: <connection name>

The information below only applies if your firewall administrator configured a provisioning (.pro) file.

Cause

The connection imported from a provisioning file has a duplicate display name.

Remedy

Check the display_name attribute in the provisioning file and rename any duplicate names.

The connection data could not be added. Connection with name <connection name> already exists

Cause

A connection with the same name has already been imported.

Remedy

Delete the existing connection from Sophos Connect. Contact your firewall administrator if you need further help.

Cannot connect to policy gateway: <gateway name>

The information below only applies if your firewall administrator configured a provisioning (.pro) file.

Cause

The provisioning file is misconfigured.

This could be due to any of the following reasons:

  • Invalid gateway hostname or IP address.
  • Invalid port or outgoing blocked port.
  • The policy gateway is unreachable because it's turned off.

Remedy

  1. Make sure the value assigned to the gateway attribute is correct.
  2. Make sure the value assigned to the user_portal_port attribute matches the user portal HTTPS port setting on Sophos Firewall.
  3. If the provisioning file is configured correctly, contact your firewall administrator to troubleshoot further.
DNS resolution failed for gateway: <gateway name:port>

If DNS resolution is failing for the gateway, follow these instructions.

Cause

This error is due to an invalid hostname.

Remedy

  • If the connection was added using a provisioning file, verify the hostname provided.
  • If the connection was added by importing an Open VPN (ovpn) file, contact your firewall administrator. They will check the SSL VPN settings on Sophos Firewall.
Service is unavailable

The troubleshooting steps below are for Windows only.

Cause

The Sophos Connect service (scvpn) is not running.

Remedy

Open the command prompt as an administrator and type the following command: net start scvpn

Server expected remote ID <expected ID value> but got <actual ID value>

Cause

The local ID type or value configured in the Sophos Connect policy on the firewall is different from this connection's value. This may be because the firewall administrator changed the local ID on the firewall, and the new configuration file wasn't imported to Sophos Connect.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

Possible pre-shared key mismatch <connection name>

This error applies to IPsec VPN connections only.

Cause

The pre-shared key on the firewall doesn't match the one used for this connection. The firewall administrator may have changed it on the firewall, and the new configuration file hasn't been uploaded to Sophos Connect.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

UDP ports 500/4500 blocked

This error applies to IPsec VPN connections only.

Cause

The firewall or the router is blocking UDP ports 500 and 4500.

Remedy

Check your local firewall or router configuration and allow traffic on those ports. If you don't have access to the firewall or router, for example, if you're in a hotel, connect through your mobile hotspot and try to connect again.

No response from gateway: <gateway FQDN or IP specified in connection>

This error applies to IPsec VPN connections only.

Cause

The gateway isn't responding to IKE negotiation messages. The possible causes are as follows:

  • The remote gateway (firewall or router) has been shut down.
  • The WAN address on the remote gateway isn't connected directly to the internet.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

Received NO_PROPOSAL_CHOSEN notification from gateway

This error applies to IPsec VPN connections only.

Cause

The remote gateway responded to IKE negotiations from Sophos Connect with this error notification. The possible causes are as follows:

  • The Sophos Connect policy isn't defined or activated on the firewall.
  • The firewall administrator changed the IKE phase 1 proposal used for the Sophos Connect policy on the firewall and the new configuration wasn't exported and uploaded to the client.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

SA disabled or deleted by gateway

This error applies to IPsec VPN connections only.

Cause

The gateway sent an IKE delete request then the tunnel was deleted. This could be due to any of the following reasons:

  • The firewall administrator changed the policy on the firewall. This sends an IKE delete request to all the active SAs on the firewall.
  • The firewall administrator manually deleted all of the IPsec connections for this user on the firewall.

Remedy

Try to reconnect. If you can't reconnect, contact your firewall administrator to troubleshoot further.

Failure to add route [network/mask] prevented phase 2 completion

This error applies to IPsec VPN connections only. The troubleshooting steps below are for Windows only.

Cause

After the Phase 2 Security Association (SA) is established, a route can't be added to the remote network. This may be because the strongSwan service crashed while the tunnel was active.

Remedy

  1. Turn off the TAP adapter then turn it on.
  2. Open the command prompt as an administrator and enter the following commands: net stop scvpn then net start scvpn
Failed to load connection info into strongSwan

The troubleshooting steps below are for Windows only.

Cause

The strongSwan service isn't running (service name: charon-svc.exe).

Remedy

Open the command prompt as an administrator and enter the following command: net start strongswan.

No SSL VPN policy is defined for this user: <username\>

This error applies to SSL VPN connections only.

Cause

The SSL VPN (remote access) policy on Sophos Firewall doesn't contain any policy members.

Remedy

Contact your firewall administrator.

Policy mismatch error. Will download policy and retry connection.

This error applies to SSL VPN connections only.

Cause

The Sophos Connect client tried to establish an SSL VPN connection with an existing policy it has saved for this connection.

The firewall administrator changed the SSL VPN settings on Sophos Firewall after an SSL VPN connection was established and saved by Sophos Connect.

Remedy

The connection was created using a provisioning file. Sophos Connect automatically downloads the new policy and reestablishes the SSL VPN tunnel.

Note

If the firewall administrator changes the SSL VPN policy on Sophos Firewall while the tunnel is in a connected state, if it's an SSL VPN over TCP tunnel, the Sophos Connect client detects and downloads the new policy immediately. If it's an SSL VPN over UDP tunnel, you need to wait for the inactivity timer to delete the tunnel. Sophos Connect then downloads the new policy to re-establish the tunnel.

Compression mismatch error. Will retry connection.

This error applies to SSL VPN connections only.

Cause

An SSL VPN policy is downloaded for the first time from Sophos Firewall and the SSL VPN tunnel is established with it.

Remedy

  • If the connection is configured with an ovpn file, you must reconnect manually.
  • If the connection is configured with a provisioning file, Sophos Connect automatically tries to reconnect.
Policy mismatch error. Import a new policy for this connection.

This error applies to SSL VPN connections only.

Cause

The Sophos Connect client tried to establish an SSL VPN connection with an existing policy it has saved for this connection.

The firewall administrator changed the SSL VPN settings on Sophos Firewall after an SSL VPN connection was established and saved by Sophos Connect.

Remedy

The connection was created by importing an ovpn file. The user must download and import a new ovpn file from Sophos Firewall user portal to re-establish the SSL VPN tunnel.

Note

If the firewall administrator changes the SSL VPN policy on Sophos Firewall while the tunnel is in a connected state, and it's an SSL VPN over TCP tunnel, then the Sophos Connect client detects and disconnects the tunnel with an error. If it's an SSL VPN over UDP tunnel, then you have to wait for the inactivity timer to delete the tunnel. You must download and import a new ovpn file from the Sophos Firewall user portal to successfully re-establish the SSL VPN tunnel.

Server certificate cannot be verified: <gateway name>. Do you want to continue?

This error applies to SSL VPN connections only.

Cause

The Sophos Connect client imports the SSL VPN configuration by connecting to the Sophos Firewall user portal using the provisioning file's properties. The user portal uses a self-signed certificate that can't be verified by the Sophos Connect client.

Remedy

  1. Accept the security warning to connect and download the ovpn configuration file from the user portal.

To prevent the prompt from showing in the future, contact your firewall administrator. They must choose one of the options below:

  1. Issue a new certificate for Sophos Firewall signed by a public CA. On Sophos Firewall, import the certificate then select it for Admin console and end-user interaction.
  2. Push the default CA certificate from Sophos Firewall to the trusted store on the remote computers.

More resources

Could not connect to untrusted server: <gateway>

This error applies to SSL VPN connections only.

Cause

You canceled the certificate warning prompt, and the connection was terminated.

Remedy

Accept the security warning to connect and download the SSL VPN policy from Sophos Firewall.

To prevent the prompt from showing when the SSL VPN policy is downloading, contact your firewall administrator. They must choose one of the options below:

  1. Issue a new certificate for Sophos Firewall signed by a public CA. On Sophos Firewall, import the certificate, and then select it for Admin console and end-user interaction.
  2. Push the Default CA certificate from Sophos Firewall to the trusted store on the remote computers.

More resources

Timed out waiting for server response

This error applies to SSL VPN connections only.

Cause

The SSL VPN policy is misconfigured on Sophos Firewall. Possible reasons for the failure are as follows:

  • Override hostname is configured, but it does not resolve to a valid or correct public IP address.
  • DDNS is configured, but it does not resolve to the correct or valid public IP address.
  • Both Override hostname and DDNS aren't configured, and the WAN port doesn't have a public IP address.

Remedy

  • If you used a provisioning file to import the connection, update the policy connection settings menu (on the Sophos Connect client).
  • If you used an ovpn file to create the connection, export a new ovpn file from the user portal and re-import it in the Sophos Connect client.