Troubleshoot event errors
If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error.
In the following topics, you can see error messages, possible causes for the errors, and information on what to do next. If you experience any issues that aren't listed, see General troubleshooting.
If you need further assistance, contact Sophos Support.
No network connection
If you don't have a network connection, follow these instructions.
Cause
The network adapter (ethernet or Wi-Fi) has no IP address.
Remedy
Check that you have a valid IP address and that your existing network connection is working.
DNS resolution failed
If DNS resolution is failing, follow these instructions.
Cause
The client isn't able to resolve the gateway hostname.
Remedy
- Check if a DNS server is assigned to the network interface. If it doesn't resolve, contact your ISP.
- Run
nslookup
from the command prompt (Windows) or the Terminal (macOS) for a public host, such as www.sophos.com, and verify that it resolves to an IP address. - If it doesn't resolve, contact your ISP.
User authentication of <username entered> failed
If you can't authenticate, follow these instructions.
Cause
The username or password didn't match.
Remedy
-
Retry to see if it was due to user error during input.
If you retry multiple times and get the same error, the password may have changed or been disabled on the firewall.
- In this case, contact your firewall administrator.
Import file contains a duplicate connection: <connection name>
The information below only applies if your firewall administrator configured a provisioning (.pro
) file.
Cause
The connection imported from a provisioning file has a duplicate display name.
Remedy
Check the display_name
attribute in the provisioning file and rename any duplicate names.
The connection data could not be added. Connection with name <connection name> already exists
Cause
A connection with the same name has already been imported.
Remedy
Delete the existing connection from Sophos Connect. Contact your firewall administrator if you need further help.
Cannot connect to policy gateway: <gateway name>
The information below only applies if your firewall administrator configured a provisioning (.pro
) file.
Cause
The provisioning file is misconfigured.
This could be due to any of the following reasons:
- Invalid gateway hostname or IP address.
- Invalid port or outgoing blocked port.
- The policy gateway is unreachable because it's turned off.
Remedy
- Make sure the value assigned to the
gateway
attribute is correct. - Make sure the value assigned to the
user_portal_port
attribute matches the user portal HTTPS port setting on Sophos Firewall. - If the provisioning file is configured correctly, contact your firewall administrator to troubleshoot further.
DNS resolution failed for gateway: <gateway name:port>
If DNS resolution is failing for the gateway, follow these instructions.
Cause
This error is due to an invalid hostname.
Remedy
- If the connection was added using a provisioning file, verify the hostname provided.
- If the connection was added by importing an Open VPN (
ovpn
) file, contact your firewall administrator. They will check the SSL VPN settings on Sophos Firewall.
Service is unavailable
The troubleshooting steps below are for Windows only.
Cause
The Sophos Connect service (scvpn) is not running.
Remedy
Open the command prompt as an administrator and type the following command: net start scvpn
Server expected remote ID <expected ID value> but got <actual ID value>
Cause
The local ID type or value configured in the Sophos Connect policy on the firewall is different from this connection's value. This may be because the firewall administrator changed the local ID on the firewall, and the new configuration file wasn't imported to Sophos Connect.
Remedy
Contact your firewall administrator and report the problem to troubleshoot further.
Possible pre-shared key mismatch <connection name>
This error applies to IPsec VPN connections only.
Cause
The pre-shared key on the firewall doesn't match the one used for this connection. The firewall administrator may have changed it on the firewall, and the new configuration file hasn't been uploaded to Sophos Connect.
Remedy
Contact your firewall administrator and report the problem to troubleshoot further.
UDP ports 500/4500 blocked
This error applies to IPsec VPN connections only.
Cause
The firewall or the router is blocking UDP ports 500 and 4500.
Remedy
Check your local firewall or router configuration and allow traffic on those ports. If you don't have access to the firewall or router, for example, if you're in a hotel, connect through your mobile hotspot and try to connect again.
No response from gateway: <gateway FQDN or IP specified in connection>
This error applies to IPsec VPN connections only.
Cause
The gateway isn't responding to IKE negotiation messages. The possible causes are as follows:
- The remote gateway (firewall or router) has been shut down.
- The WAN address on the remote gateway isn't connected directly to the internet.
Remedy
Contact your firewall administrator and report the problem to troubleshoot further.
Received NO_PROPOSAL_CHOSEN notification from gateway
This error applies to IPsec VPN connections only.
Cause
The remote gateway responded to IKE negotiations from Sophos Connect with this error notification. The possible causes are as follows:
- The Sophos Connect policy isn't defined or activated on the firewall.
- The firewall administrator changed the IKE phase 1 proposal used for the Sophos Connect policy on the firewall and the new configuration wasn't exported and uploaded to the client.
Remedy
Contact your firewall administrator and report the problem to troubleshoot further.
SA disabled or deleted by gateway
This error applies to IPsec VPN connections only.
Cause
The gateway sent an IKE delete request then the tunnel was deleted. This could be due to any of the following reasons:
- The firewall administrator changed the policy on the firewall. This sends an IKE delete request to all the active SAs on the firewall.
- The firewall administrator manually deleted all of the IPsec connections for this user on the firewall.
Remedy
Try to reconnect. If you can't reconnect, contact your firewall administrator to troubleshoot further.
Failure to add route [network/mask] prevented phase 2 completion
This error applies to IPsec VPN connections only. The troubleshooting steps below are for Windows only.
Cause
After the Phase 2 Security Association (SA) is established, a route can't be added to the remote network. This may be because the strongSwan service crashed while the tunnel was active.
Remedy
- Turn off the TAP adapter then turn it on.
- Open the command prompt as an administrator and enter the following commands:
net stop scvpn
thennet start scvpn
Failed to load connection info into strongSwan
The troubleshooting steps below are for Windows only.
Cause
The strongSwan service isn't running (service name: charon-svc.exe
).
Remedy
Open the command prompt as an administrator and enter the following command: net start strongswan
.
No SSL VPN policy is defined for this user: <username\>
This error applies to SSL VPN connections only.
Cause
The SSL VPN (remote access) policy on Sophos Firewall doesn't contain any policy members.
Remedy
Contact your firewall administrator.
Policy mismatch error. Will download policy and retry connection.
This error applies to SSL VPN connections only.
Cause
The Sophos Connect client tried to establish an SSL VPN connection with an existing policy it has saved for this connection.
The firewall administrator changed the SSL VPN settings on Sophos Firewall after an SSL VPN connection was established and saved by Sophos Connect.
Remedy
The connection was created using a provisioning file. Sophos Connect automatically downloads the new policy and reestablishes the SSL VPN tunnel.
Note
If the firewall administrator changes the SSL VPN policy on Sophos Firewall while the tunnel is in a connected state, if it's an SSL VPN over TCP tunnel, the Sophos Connect client detects and downloads the new policy immediately. If it's an SSL VPN over UDP tunnel, you need to wait for the inactivity timer to delete the tunnel. Sophos Connect then downloads the new policy to re-establish the tunnel.
Compression mismatch error. Will retry connection.
This error applies to SSL VPN connections only.
Cause
An SSL VPN policy is downloaded for the first time from Sophos Firewall and the SSL VPN tunnel is established with it.
Remedy
- If the connection is configured with an
ovpn
file, you must reconnect manually. - If the connection is configured with a provisioning file, Sophos Connect automatically tries to reconnect.
Policy mismatch error. Import a new policy for this connection.
This error applies to SSL VPN connections only.
Cause
The Sophos Connect client tried to establish an SSL VPN connection with an existing policy it has saved for this connection.
The firewall administrator changed the SSL VPN settings on Sophos Firewall after an SSL VPN connection was established and saved by Sophos Connect.
Remedy
The connection was created by importing an ovpn
file. The user must download and import a new ovpn
file from Sophos Firewall user portal to re-establish the SSL VPN tunnel.
Note
If the firewall administrator changes the SSL VPN policy on Sophos Firewall while the tunnel is in a connected state, and it's an SSL VPN over TCP tunnel, then the Sophos Connect client detects and disconnects the tunnel with an error. If it's an SSL VPN over UDP tunnel, then you have to wait for the inactivity timer to delete the tunnel. You must download and import a new ovpn
file from the Sophos Firewall user portal to successfully re-establish the SSL VPN tunnel.
Server certificate cannot be verified: <gateway name>. Do you want to continue?
This error applies to SSL VPN connections only.
Cause
The Sophos Connect client imports the SSL VPN configuration by connecting to the Sophos Firewall user portal using the provisioning file's properties. The user portal uses a self-signed certificate that can't be verified by the Sophos Connect client.
Remedy
- Accept the security warning to connect and download the
ovpn
configuration file from the user portal.
To prevent the prompt from showing in the future, contact your firewall administrator. They must choose one of the options below:
- Issue a new certificate for Sophos Firewall signed by a public CA. On Sophos Firewall, import the certificate then select it for Admin console and end-user interaction.
- Push the default CA certificate from Sophos Firewall to the trusted store on the remote computers.
More resources
Could not connect to untrusted server: <gateway>
This error applies to SSL VPN connections only.
Cause
You canceled the certificate warning prompt, and the connection was terminated.
Remedy
Accept the security warning to connect and download the SSL VPN policy from Sophos Firewall.
To prevent the prompt from showing when the SSL VPN policy is downloading, contact your firewall administrator. They must choose one of the options below:
- Issue a new certificate for Sophos Firewall signed by a public CA. On Sophos Firewall, import the certificate, and then select it for Admin console and end-user interaction.
- Push the Default CA certificate from Sophos Firewall to the trusted store on the remote computers.
More resources
Timed out waiting for server response
This error applies to SSL VPN connections only.
Cause
The SSL VPN policy is misconfigured on Sophos Firewall. Possible reasons for the failure are as follows:
- Override hostname is configured, but it does not resolve to a valid or correct public IP address.
- DDNS is configured, but it does not resolve to the correct or valid public IP address.
- Both Override hostname and DDNS aren't configured, and the WAN port doesn't have a public IP address.
Remedy
- If you used a provisioning file to import the connection, update the policy connection settings menu (on the Sophos Connect client).
- If you used an
ovpn
file to create the connection, export a newovpn
file from the user portal and re-import it in the Sophos Connect client.