This topic describes common problems and solutions for Mobile VPN with IPSec:
Log Messages
To see Mobile VPN log messages in the macOS VPN client, select Log > Logbook from the WatchGuard Mobile VPN client.
To see Mobile VPN log messages in the Windows VPN client , select Help > Logbook from the WatchGuard Mobile VPN Monitor.
Installation Issues
For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the
If you select Online Activation in WatchGuard IPSec Mobile VPN client, and activation fails, one of these error messages might appear:
Software activation error. Error number: 10103-1. An error occurred when activating the software. The maximum number of activations was exceeded.
This error can occur when the license key is in use on another system. If you have uninstalled the client from that other system, contact WatchGuard Customer Care and provide:
- The serial and license information from your confirmation email
- Screenshots of the activation wizard with the serial number and license filled in, and the error message
Invalid license key or serial number
This error can occur when:
- You installed the IPsec Client from NCP, not the WatchGuard Mobile VPN with IPsec Client. The license keys for the WatchGuard-branded client do not work for activation of the client from NCP.
- You attempted to activate with the incorrect serial number, such as the serial number of your Firebox. Make sure to use the IPSec Mobile VPN client serial number you received in the confirmation email.
Connection Requirements and Issues
- IP Routes: All IP routes must be available at all times
- VPN Subnet: Each Mobile VPN Client must have access to the MVLS via its VPN tunnel established to the VPN gateway
- Client to MVLS IP access (Firewall port) - via VPN subnet: Access from each Client to port 12503/TCP on the MVLS machine
This link is secured via an SSL tunnel between the Client and MVLS.
- Internet: HTTPS connection to NCP Activation Server (actsrv1.ncp.de): You must have an available IP route between MVLS and NCP Activation Server to allow the MVLS to periodically build an SSL VPN connection to the NCP Activation Server
You can configure a proxy IP address at the MVLS to enable the connection to the NCP Activation Server
If the user's computer goes to sleep while connected to the VPN, and the VPN terminates, the VPN client might show an error message if the user attempts to reconnect. After a certain amount of time elapses, the user can reconnect.
This issue can be caused by a temporary lack of available IP addresses in the Mobile VPN with IPSec address pool. To avoid this issue, add additional IP addresses to the Mobile VPN with IPSec address pool. For more information about the address pool configuration, go to Configure the Firebox for Mobile VPN with IPSec.
When you activate license of an individual WatchGuard Mobile VPN Client, the license details are exchanged between WatchGuard Mobile VPN Client and Mobile VPN License Server (MVLS) by the Corporate VPN. After you import the Initialization File and run the software activation process, these steps take place:
- WatchGuard Mobile VPN Client establishes a connection to the VPN gateway.
A yellow connection bar appears. - Client Licensing software establishes a connection to the MVLS.
The connection bar changes from yellow to orange. - MVLS selects the next available license (serial number) and transmits the license details to WatchGuard Mobile VPN Client.
The connection bar changes from orange to green. If the VPN and MVLS connection is established immediately, the connection bar changes from orange to green immediately. - The WatchGuard Mobile VPN Client is licensed successfully and can establish VPN connections .
The connection bar no longer appears.
For more information about how to import the Initialization file and run the software activation process, go to the Licensing a WatchGuard Mobile VPN Client section in WatchGuard Mobile VPN License Server (MVLS).
The license activation might fail due to these reasons:
- The Mobile VPN Licensing Server is not reachable from the VPN. If a VPN connection is established but the connection to the MVLS cannot be established, the connection bar remains orange.
- A license is not available in the bundle.If all the licenses in a bundle are used, you view the Licensing Operation Failed error message.
Issues After Connection
If the VPN client can connect to a network resource by IP address, but not by name, the client device might not have the correct DNS and WINS information for your network.
In Fireware v12.2.1 or higher, you can select these options in the Mobile VPN with IPSec configuration:
- Assign or not assign the Network (global) DNS/WINS settings to mobile clients
- Assign the domain name, DNS server, and WINS server settings specified in the mobile VPN configuration to mobile clients
In Fireware v12.2 or lower, your Firebox automatically provides client devices with the WINS and DNS IP addresses configured in the Network (global) DNS/WINS settings on your device.
For information about how to configure DNS and WINS IP addresses, go to Configure the Firebox for Mobile VPN with IPSec.
If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name to connect, this indicates that the DNS suffix is not defined on the client.
In Fireware v12.2.1 or higher, you can select to:
- Assign or not assign the Network (global) DNS/WINS settings to mobile clients
- Assign the domain name, DNS server, and WINS server settings specified in the mobile VPN configuration to mobile clients
In Fireware v12.2 or lower, when you use Mobile VPN with IPSec with any supported client, the Firebox assigns the VPN client the DNS settings configured for the Firebox. It does not assign the DNS suffix.
A client that does not have an assigned DNS suffix must use the entire DNS name to resolve an address. For example, if your terminal server has a DNS name of RDP.example.net, users cannot type the address RDP to connect with their terminal server clients. Users must also type the DNS suffix, example.net.
To resolve this problem, you can add the DNS suffix in the configuration of the Mobile VPN client. For instructions, go to these articles in the WatchGuard Knowledge Base:
Configure DNS in the WatchGuard IPSec Mobile VPN client
Configure DNS settings for VPN connections from an Android device
On the authentication server used for the Mobile VPN, verify that the user is a member of a group that exactly matches the Mobile VPN with IPSec group profile name. For example, if the Mobile VPN with IPSec group profile name is ipsec-users, and it is configured to use an Active Directory domain, you must make sure that each mobile VPN user is a member of the ipsec-users group on the Active Directory server. Make sure the text and case of the Active Directory group name exactly matches the Mobile VPN with IPSec group name.
For RADIUS, SecurID, and VASCO authentication, the authentication server must return the group membership as the Filter-ID attribute.
For more information about Mobile VPN with IPSec group membership, go to Configure the External Authentication Server.
When you initially create a Mobile VPN with IPSec profile, a policy is automatically created that allows traffic on all ports and protocols to all networks that were defined in the Allowed Resources section of the Mobile VPN configuration. If you later modify the Allowed Resources in the Mobile VPN with IPSec profile, you must also edit the Allowed Resources in the Mobile VPN with IPSec policy to match the network addresses in the updated Mobile VPN with IPSec profile.
For more information about how to edit the policy, go to Configure Policies to Filter IPSec Mobile VPN Traffic.
If your VPN clients can connect to certain parts of the network, but not others, or traffic otherwise fails when log messages show that traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:
- The virtual IP address pool for Mobile VPN with IPSec clients does not overlap with any IP addresses assigned to internal network users.
- The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
- If the Mobile VPN with IPSec users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.
For more information about how to configure the virtual IP address pool, go to Modify an Existing Mobile VPN with IPSec Group Profile.
The NCP VPN client forces the tunnel to re-key after 70 percent of the timeout value elapses. However, the Firebox does not support Phase 1 re-keys and the tunnel disconnects. If you configure the VPN client to save user credentials and automatically reconnect, a new tunnel automatically builds after the disconnection.
To increase the timeout values, in the Mobile VPN with IPSec configuration on the Firebox:
- On the General tab, increase the Timeouts.
- On the IPSec Tunnel tab, in the Phase 1 and 2 Advanced settings, increase the timeout and key expiration values.
We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.
If you cannot connect to network resources through an established VPN tunnel, go to Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.