Troubleshoot Mobile VPN with SSL

The VPN client can connect, but users cannot connect to internal resources by name.

If the VPN client can connect to a resource by IP address but not by name, you must provide the client with the IP addresses of valid DNS and/or WINS servers that can resolve the destination name. When the client connects and receives a virtual IP address from the Firebox, it also receives the IP addresses for the DNS and WINS servers configured globally on the device, or in the Mobile VPN with SSL configuration.

For information about how to configure WINS and DNS IP addresses, see Name Resolution for Mobile VPN with SSL.

The VPN client can connect, but VPN users cannot connect to internal resources with a single-part host name.

If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name to connect, this indicates that the DNS suffix is not defined on the client. When you use Mobile VPN with SSL, the Firebox assigns the client device the WINS, DNS, and DNS suffix configured in the Mobile VPN with SSL settings on the Firebox.

A client without a DNS suffix assigned must use the entire DNS name to resolve the name to an IP address. For example, if your terminal server has a DNS name of RDP.example.net, users cannot type the address RDP to connect with their terminal server clients. Users must also type the DNS suffix example.net.

For more information about DNS for Mobile VPN with SSL, see Name Resolution for Mobile VPN with SSL.

If you do not configure WINS and DNS settings in the Mobile VPN with SSL configuration, the SSL VPN client is assigned the WINS and DNS servers, and the DNS suffix configured for the Firebox.

If you specify a DNS suffix in the WINS/DNS settings for the Firebox, but do not specify a DNS suffix in the Mobile VPN with SSL settings, the VPN client does not receive the DNS suffix unless all other WINS / DNS settings in the Mobile VPN with SSL configuration are also not configured.

For more information about how to configure WINS/DNS settings, see Add WINS and DNS Server Addresses.

The VPN client can connect, but all traffic fails. The Unhandled External Packet log message is generated, and includes other details that indicate a group membership problem.

If client traffic through the Mobile VPN with SSL connection is denied as unhandled, the problem is almost always related to group membership. By default, Mobile VPN with SSL requires that a user be a member of a group called SSLVPN-Users. If you use a RADIUS, SecurID, or VASCO server, the group membership must be returned as the Filter-ID attribute.

For more information about how to configure external authentication servers, see Configure the External Authentication Server.

The VPN client can connect but all traffic fails. The Unhandled External Packet log message is generated, and includes other details that indicate a problem with the policy configuration.

When you enable Mobile VPN with SSL, the Allow-SSL-Users policy is automatically created to allow traffic from the clients to internal or external network resources. If you disable or remove this policy, clients cannot send traffic to internal or external networks.

To solve this problem, make sure that the policy exists and allows traffic to network resources.

For more information about the this policy, see Configure the Firebox for Mobile VPN with SSL.

The VPN client can connect but users cannot connect to some internal resources. The log messages do not show traffic allowed or denied.

If you select Routed VPN traffic in the Mobile VPN with SSL network settings, the Firebox routes traffic from Mobile VPN with SSL clients to allowed networks and resources.

Make sure that users have v11.10 or higher of the Mobile VPN with SSL client. The Mobile VPN with SSL client v11.10 and higher supports more than 24 routes. Previous versions of the Mobile VPN with SSL client support a maximum of 24 routes.

For users with Mobile VPN with SSL client v11.9.x and lower, your configuration must include fewer than 24 routes to resources for the Mobile VPN with SSL client. If the total number of networks or allowed resources exceeds 24, the VPN client cannot route traffic to all of the allowed resources. For users with Mobile VPN with SSL client v11.9.x and lower, your Mobile VPN with SSL configuration might include too many routes if:

In the Mobile VPN with SSL configuration, you select Allow access to networks connected through Trusted, Optional, and VLANs, and you have more than 24 resources in the Allowed Resources list.
In the Mobile VPN with SSL configuration, you selected Specify allowed resources, and added more than 24 resources

The WINS and DNS settings can also add up to five additional routes to the total, if two DNS servers, two WINS servers, and a domain suffix are all configured. This further reduces the number of allowed resources the client can route to.

To reduce the number of routes, you can specify allowed resources in a way that generates fewer routes. To do this, select Specify allowed resources and then use supernets to specify the allowed resources as fewer entries. For example, if your Allowed Resources list includes the resources 192.168.1.0/24, 192.168.25.0/24, and 192.168.26.0/24, you can express this as a single resource, 192.168.0.0/22, which includes all addresses from 192.168.1.0 to 192.168.31.255.

For more information about how to specify resources for Mobile VPN with SSL, see Configure the Firebox for Mobile VPN with SSL.

The VPN client cannot connect. These error messages might appear on the client or in the client logs:Failed: Cannot perform HTTP request, Timeout 12002, Failed to get domain name, or System tried to join.

This log message indicates that the client is unable to make an HTTPS connection to the IP address specified in the Server text box in the Mobile VPN with SSL client. Confirm that the policy configuration on the Firebox allows connections from Any-External to Firebox, and that no other policy handles traffic from the IP addresses you configured as the virtual IP address pool for Mobile VPN with SSL.

If you specify a TCP port other than 443 as the VPN Portal port in the VPN Portal settings, mobile users must specify the port number as part of the address in the Server text box in the Mobile VPN with SSL client. For example, if the VPN Portal port is TCP 444, specify 203.0.113.2:444.

In Fireware v12.1 and higher, the configuration channel setting was renamed as the VPN Portal port. The VPN Portal port setting appears in the VPN Portal configuration. In Fireware v12.0.2 and lower, the configuration channel setting appears in the Mobile VPN with SSL configuration. For more information about the VPN Portal settings, see Configure the VPN Portal Settings and SSL/TLS Settings Precedence and Inheritance.

If the operating system on your computer does not support TLS 1.1, or TLS 1.1 is not enabled, you might see this error message. Mobile VPN with SSL requires TLS 1.1 or higher. Windows XP and Vista, and Mac OS v10.9 and earlier, do not support TLS 1.1. In Windows 7, you must manually enable TLS 1.1:

From the Windows Control Panel, select Internet Options > Advanced
Select the Use TLS 1.1 and Use TLS 1.2 check boxes.

For more information about TLS and Mobile VPN with SSL, see Mobile VPN with SSL connections fail from some versions of Windows and Mac OS X in the WatchGuard Knowledge Base.

The VPN client cannot connect with a valid user name and password.

This problem can be caused by a static NAT action for inbound HTTPS traffic, or it can be a problem with client authentication.

When the Firebox receives an HTTPS request, it could forward that request to an internal server if your configuration includes an HTTPS policy with a static NAT action. If this occurs for traffic from the Mobile VPN with SSL client, the VPN client fails to connect. and displays an authentication failure message to the user:

(SSLVPN authentication failed) Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?

Check your configuration to make sure that a policy does not forward HTTPS requests on the port used by the Mobile VPN with SSL client to another server.

This authentication error message could also indicate a problem with authentication.

To troubleshoot client authentication:

Connect to the Firebox.
Review the configuration for Mobile VPN with SSL
Record the configured Primary and Backup IP addresses.
The address can also be a domain name. If it is a domain name, confirm which IP address the domain name resolves to.
(Fireware v12.0.2 and lower) Record the configured Configuration channel TCP port.
(Fireware v12.1 and higher) Select Authentication > Configure and record the configured VPN Portal port.
In Fireware v12.1 and higher, the configuration channel setting was renamed as the VPN Portal port. The VPN Portal port setting appears in the VPN Portal configuration.
In your web browser, type https://<ip-address>/sslvpn.html where <ip-address> is the Primary IP address in the Mobile VPN with SSL configuration. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon. For example, if the Configuration channel is TCP port 444, in the browser type https://<ip-address>:444/sslvpn.html.
- If the WatchGuard Authentication Portal page for your Firebox appears, continue to Step 6.
- If a page other than the WatchGuard Authentication Portal page appears, review your Firebox configuration to identify why the traffic was forwarded to this location. Consider a change to the configured IP address for the VPN.
On the WatchGuard Authentication Portal page, log in with client credentials.
If more than one type of authentication is configured, or if your authentication server is not the default option, select the authentication server from the drop-down list.
- If user authentication succeeds, continue to Step 7.
- If user authentication fails, verify the user credentials on the Firebox, or the external authentication server. For users on an external authentication server, verify whether other users who use that server are able to log in. There may be a problem with authentication in general.
In your web browser, type https://<ip-address>/sslvpn.html. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon.
For example, if the Configuration channel is TCP port 444, type https://<ip-address>:444/sslvpn.html.
The WatchGuard Authentication Portal appears.
Log in with the client credentials you used in Step 5.

If the user authentication fails on the Mobile VPN with SSL-specific authentication page, but the same credentials worked on the WatchGuard Authentication Portal page, the issue is almost certainly group membership. Confirm that the user is part of the configured group for Mobile VPN with SSL. By default, this group is SSLVPN-Users.

In Fireware v11.12 and higher, the URL for the SSL VPN authentication portal redirects to https://<ip-address>/sslvpn_logon.shtml.

The VPN client can connect, and the traffic appears to be allowed, but the client never gets a response, or some network resources fail.

If your VPN clients can connect to certain parts of the network, but not others, or traffic otherwise fails when log messages show traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:

The virtual IP address pool for Mobile VPN with SSL clients does not overlap with any IP addresses assigned to internal network users.
The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
If the Mobile VPN with SSL users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.

For more information about how to configure the IP address pool, see Configure the Firebox for Mobile VPN with SSL.