Troubleshoot Mobile VPN with SSL

This log message indicates that the client cannot make an HTTPS connection to the IP address specified in the Server text box in the Mobile VPN with SSL client. Confirm that the policy configuration on the Firebox allows connections from Any-External to Firebox, and that no other policy handles traffic from the IP addresses you configured as the virtual IP address pool for Mobile VPN with SSL.

If you specify a TCP port other than 443 as the Configuration Channel in the Mobile VPN with SSL settings, mobile users must specify the port number as part of the address in the Server text box in the Mobile VPN with SSL client. For example, if the port is TCP 444, specify 203.0.113.2:444 on the client.

In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, go to Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

If the operating system on your computer does not support TLS 1.2, or TLS 1.2 or higher is not enabled, you might receive this error message. In Fireware v12.5.4 or higher, Mobile VPN with SSL requires TLS 1.2 or higher. To avoid security vulnerabilities in TLS 1.1 or lower, we recommend that you disable TLS 1.1 or lower and only enable TLS 1.2 or higher.

Some older operating systems do not support TLS 1.2 or higher. For more information about TLS in older operating systems, go to Mobile VPN with SSL connections fail from some versions of Windows and macOS in the WatchGuard Knowledge Base.

This problem can be caused by a static NAT (SNAT) action for inbound HTTPS traffic, or it can be a problem with client authentication.

When the Firebox receives an HTTPS request, it could forward that request to an internal server if your configuration includes an HTTPS policy with a static NAT action. If this occurs for traffic from the Mobile VPN with SSL client, the client fails to connect and an authentication failure message shows:

(SSLVPN authentication failed) Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?

Review your configuration to make sure that a policy does not forward HTTPS requests on the port used by the Mobile VPN with SSL client to another server.

This authentication error message could also indicate a problem with authentication.

To troubleshoot client authentication:

1. Connect to the Firebox.
2. Review the configuration for Mobile VPN with SSL.
3. Record the configured Primary and Backup IP addresses.
   The address can also be a domain name. If it is a domain name, confirm which IP address the domain name resolves to.
4. Record the configured Configuration channel TCP port.
   In Fireware v12.1.x, select Authentication > Configure and record the configured VPN Portal port. In Fireware v12.1.x, the configuration channel setting was named as the VPN Portal port.
5. In your web browser, type https://<ip-address>/sslvpn.html where <ip-address> is the Primary IP address in the Mobile VPN with SSL configuration. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon. For example, if the Configuration channel is TCP port 444, in the browser type https://<ip-address>:444/sslvpn.html.
   • If the WatchGuard Authentication Portal page for your Firebox opens, continue to Step 6.
   • If a page other than the WatchGuard Authentication Portal page opens, review your Firebox configuration to identify why the traffic was forwarded to this location. Consider a change to the configured IP address for the VPN.
6. On the WatchGuard Authentication Portal page, log in with client credentials.
   If more than one type of authentication is configured, or if your authentication server is not the default option, select the authentication server from the drop-down list.
   • If user authentication succeeds, continue to Step 7.
   • If user authentication fails, verify the user credentials on the Firebox, or the external authentication server. For users on an external authentication server, verify whether other users who use that server are able to log in. There might be a problem with authentication in general.
7. In your web browser, type https://<ip-address>/sslvpn.html. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon.
   For example, if the Configuration channel is TCP port 444, type https://<ip-address>:444/sslvpn.html.
   The WatchGuard Authentication Portal opens.
8. Log in with the client credentials you used in Step 5.

If the user authentication fails on the Mobile VPN with SSL-specific authentication page, but the same credentials worked on the WatchGuard Authentication Portal page, the issue is almost certainly group membership. Confirm that the user is part of the configured group for Mobile VPN with SSL. By default, this group is SSLVPN-Users.

To troubleshoot issues with AuthPoint authentication, go to Firebox Mobile VPN with SSL Integration with AuthPoint and Troubleshoot AuthPoint.

This message indicates an issue on the client computer. To troubleshoot on the client computer, verify that:

• The SSL VPN service is started
• The TAP driver is installed correctly
• Another VPN client on the computer has not installed drivers that caused a conflict
• Security software such as anti-virus or firewall software does not block the TAP driver
• In Internet Explorer, in the Internet Options > Advanced settings, SSL 3.0 is not selected.

This issue can occur if a router or modem on the user's local network prevents return communication from the Firebox to the VPN client.

In Windows Device Manager, verify the status of the virtual adapter to make sure a local router or modem does not inspect, filter, or proxy the VPN traffic. You might have to adjust security settings on the local router or modem.

To resolve this issue, add a First Run policy for outbound VPN connections from network clients to the external VPN endpoint. For example, on the cloud-managed Firebox, create a First Run policy for TCP 443 traffic to only the public IP address configured on the locally-managed Firebox for SSL VPN connections.

For information about first-run policies in WatchGuard Cloud, go to Firewall Policy Types.

While the VPN connection process occurs, the Firebox verifies the user's identity and group membership on the local database or an existing RADIUS server. The user must be a member of:

• The default SSLVPN-Users group on the Firebox, or
• A group explicitly added to the Firebox configuration.

To troubleshoot this issue:

• Verify that the SSLVPN-Users group exists on all of your authentication servers.
• If you added a different group to the Mobile VPN with SSL configuration, make sure that group exists on all of your authentication servers.
• Verify that the user is a member of the SSLVPN-Users group (or another group that you added to the Mobile VPN with SSL configuration) on the authentication server.
• If you use RADIUS to authenticate these users, make sure the RADIUS server returns the group membership as the Filter-ID attribute.

For more information about how to configure external authentication servers, go to Configure the External Authentication Server.

In Fireware v12.5 or higher, you must configure a RADIUS domain name. If your Firebox configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, users must type RADIUS as the domain name. In this case, if users type a domain name other than RADIUS, authentication fails. For more information, go to Download, Install, and Connect the Mobile VPN with SSL Client.

These log messages indicate that the CA certificate is missing from the local configuration. To troubleshoot certificate issues on the client computer:

1. Delete the contents of this folder:
   C:\Users\username\AppData\Roaming\WatchGuard\Mobile VPN

2. Try to connect to Mobile VPN with SSL.
   The VPN client connects to the Firebox and downloads the Mobile VPN with SSL configuration file and certificates to the folder from Step 1.

If the VPN client can connect to a resource by IP address but not by name, you must provide the client with the IP addresses of valid DNS or WINS servers that can resolve the destination name. When the client connects and receives a virtual IP address from the Firebox, it also receives the IP addresses for the DNS and WINS servers configured globally on the Firebox or in the Mobile VPN with SSL configuration.

When you configure Mobile VPN with SSL in Fireware v12.2.1 or higher, you can select to:

• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Mobile VPN with SSL settings on the Firebox
• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Network (global) DNS/WINS settings on the Firebox
• Assign no DNS or WINS settings to the client device

For information about how to configure WINS and DNS IP addresses, go to Name Resolution for Mobile VPN with SSL.

For more information about global DNS settings on the Firebox, go to Configure Network DNS and WINS Servers.

If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name (FQDN) to connect, this indicates that the DNS suffix is not defined on the client. When you configure Mobile VPN with SSL in Fireware v12.2.1 or higher, you can select to:

• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Mobile VPN with SSL settings on the Firebox
• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Network (global) DNS/WINS settings on the Firebox
• Assign no DNS or WINS settings to the client device

A client without a DNS suffix assigned must use the entire DNS name to resolve the name to an IP address. For example, if your terminal server has a DNS name of RDP.example.net, users cannot type the address RDP to connect with their terminal server clients. Users must also type the DNS suffix example.net.

For more information about DNS for Mobile VPN with SSL, go to Name Resolution for Mobile VPN with SSL.

For more information about global DNS settings on the Firebox, go to Configure Network DNS and WINS Servers.

In Fireware v12.2 or lower, if you do not configure WINS and DNS settings in the Mobile VPN with SSL configuration, the SSL VPN client is assigned the Network (global) DNS/WINS settings. This includes the DNS server, WINS server, and domain suffix. If you specify a DNS suffix in the Network (global) WINS/DNS settings for the Firebox, but do not specify a DNS suffix in the Mobile VPN with SSL settings, the VPN client does not receive the DNS suffix unless all other DNS and WINS settings in the Mobile VPN with SSL configuration are also not configured.

If client traffic through the Mobile VPN with SSL connection is denied as unhandled, the problem is almost always related to group membership. By default, Mobile VPN with SSL requires that a user be a member of a group called SSLVPN-Users. If you use a RADIUS, SecurID, or VASCO server, the group membership must be returned as the Filter-ID attribute.

For more information about how to configure external authentication servers, go to Configure the External Authentication Server.

If you configure Mobile VPN with SSL to send all traffic through the tunnel, but Microsoft 365 traffic does not go through the tunnel, you have these options:

• Enable the default-route-client option in the Fireware CLI (Fireware v12.5.3 or higher)
• Manually configure a default gateway on the client
• Use a different Fireware mobile VPN method

For more information, and to configure the first two solutions, go to Microsoft 365 fails for Mobile VPN with SSL users in the WatchGuard Knowledge Base.

If you select Routed VPN traffic in the Mobile VPN with SSL network settings, the Firebox routes traffic from Mobile VPN with SSL clients to allowed networks and resources.

Make sure that users have v11.10 or higher of the Mobile VPN with SSL client. The Mobile VPN with SSL client v11.10 or higher supports up to 500 routes. Previous versions of the Mobile VPN with SSL client support a maximum of 24 routes.

For users with Mobile VPN with SSL client v11.9.x and lower, your configuration must include fewer than 24 routes to resources for the Mobile VPN with SSL client. If the total number of networks or allowed resources exceeds 24, the VPN client cannot route traffic to all of the allowed resources. For users with Mobile VPN with SSL client v11.9.x and lower, your Mobile VPN with SSL configuration might include too many routes if:

• In the Mobile VPN with SSL configuration, you select Allow access to networks connected through Trusted, Optional, and VLANs, and you have more than 24 resources in the Allowed Resources list.
• In the Mobile VPN with SSL configuration, you selected Specify allowed resources, and added more than 24 resources.

The WINS and DNS settings can also add up to five additional routes to the total if two DNS servers, two WINS servers, and a domain suffix are all configured. This further reduces the number of allowed resources the client can route to.

To reduce the number of routes, you can specify allowed resources in a way that generates fewer routes. To do this, select Specify allowed resources and then use supernets to specify the allowed resources as fewer entries. For example, if your Allowed Resources list includes the resources 192.168.1.0/24, 192.168.25.0/24, and 192.168.26.0/24, you can express this as a single resource, 192.168.0.0/22, which includes all addresses from 192.168.1.0 to 192.168.31.255.

For more information about how to specify resources for Mobile VPN with SSL, go to Manually Configure the Firebox for Mobile VPN with SSL.

When you enable Mobile VPN with SSL, the Allow SSLVPN-Users policy is automatically created to allow traffic from the clients to internal or external network resources. If you disable or remove this policy, clients cannot send traffic to internal or external networks.

To solve this problem, make sure that the policy exists and allows traffic to network resources.

For more information about the this policy, go to Manually Configure the Firebox for Mobile VPN with SSL and Options for Internet Access Through a Mobile VPN with SSL Tunnel.

If your VPN clients can connect to some but not all parts of the network, or traffic otherwise fails when log messages show traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:

• The virtual IP address pool for Mobile VPN with SSL clients does not overlap with any IP addresses assigned to internal network users.
• The virtual IP address pool does not overlap with any other routed or VPN networks configured on the Firebox.
• If your company has multiple sites with mobile VPN configurations, each site has a virtual IP address pool that does not overlap with pools at other sites.
• The virtual IP address pool does not use the the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.
• If the Mobile VPN with SSL users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.

For more information about how to configure the IP address pool, go to Manually Configure the Firebox for Mobile VPN with SSL.

Determine whether the issue affects some or all VPN users. If the issue affects only some of your VPN users or affects users at a specific location:

• Make sure any firewalls at the user’s location allow the VPN connection.
• Determine whether affected users have an uncommon subnet that overlaps with the network behind your Firebox.

If the issue affects most or all of your users, determine whether the network behind your Firebox has a subnet commonly used for home networks.

We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

To troubleshoot a performance issue:

• Verify that only VPN traffic is affected.
• Verify that the issue occurs regardless of whether Traffic Management and QoS are enabled. For more information, go to About Traffic Management and QoS.
• Download a packet capture (PCAP) file when users experience poor VPN performance. Determine whether the packet capture shows latency or packet loss. For more information, go to Run Diagnostic Tasks on Your Firebox.
• Verify link speed setting for the external interface. By default, the link speed is set to Auto Negotiate, which is the recommended setting. For more information, go to Network Interface Card (NIC) Settings.

To learn how to optimize Mobile VPN with SSL performance, go to the Optimize Mobile VPN with SSL video tutorial (10 minutes).

To limit the Mobile VPN with SSL policy to use a single IP address for connections, remove the Firebox alias from the WatchGuard SSLVPN policy. You can then add a single IP address to use to connect to the VPN.

To remove the Firebox alias and add an IP address, from Fireware Web UI:

1. Select Firewall > Firewall Policies.
2. Click WatchGuard SSLVPN.
3. Click the lock icon to make changes to the WatchGuard SSLVPN policy.
4. From the To section, select Firebox, then click Remove.
5. From the To section, click Add.
   The Add Member dialog box opens.
6. From the Alias drop-down list, select Host IPv4.
7. Type the IPv4 address of the VPN, then click OK.

This is the IP address that Mobile VPN with SSL clients use to connect to the VPN. For more information, go to Manually Configure the Firebox for Mobile VPN with SSL.

8. Click Save.

To remove the Firebox alias and add an IP address, from Policy Manager:

1. Click WatchGuard SSLVPN.
2. From the To section, select Firebox, then click Remove.
3. From the To section, click Add.
   The Add Address dialog box opens.
4. Click Add Other.
5. From the Choose Type drop-down list, select Host IPv4.
6. Type the IPv4 address of the VPN, then click OK.

This is the IP address that Mobile VPN with SSL clients use to connect to the VPN. For more information, go to Manually Configure the Firebox for Mobile VPN with SSL.

7. Click OK.
8. Save the configuration to the Firebox.