2

I have a client who has a WatchGuard XTM 23 device on site as their primary firewall. I just upgraded its firmware a couple days ago to the latest version for that series, 11.6.6.

The problem is that I haven't successfully been able to setup a VPN connection for them.

Using the instructions at http://www.watchguard.com/help/docs/webui/11_XTM/en-US/index.html#en-US/mvpn/ssl/configure_fb_for_mvpn_ssl_c.html, I'm trying to setup a VPN with SSL connection: From the firewall web GUI / Dashboard, I go to VPN -> Mobile VPN with SSL, I enable it, add the organization's public IP address to which the firewall is connected. I've setup a group in Active Directory named "SSLVPN-Users", verified that the WatchGuard box can talk to the Active Directory Server, and added myself to that group.

I then downloaded the WatchGuard Mobile VPN with SSL client onto my own Windows 7 machine, walked to the client's 2nd building across the street (which has a different public internet connection), and tried to connect to the VPN.

When I do try to connect with the client, I get the following errors:

2013-06-24T15:41:32.119 Launching WatchGuard Mobile VPN with SSL client. Version 11.6.0 (Build 343814)  Built:Jun 13 2012 01:42:55
2013-06-24T15:41:37.595 Requesting client configuration from 184.174.143.176:443
2013-06-24T15:41:50.106 FAILED:Cannot perform http request, timeout 12002
2013-06-24T15:41:50.106 failed to get domain name

I discovered today the Firebox System Manager, and its "Traffic Monitor" which gives current log information (refreshes every 5 seconds). Unfortunately, it doesn't look like the client has setup any sort of WatchGuard / Firebox logging server, so actually recording server-side logs to file hasn't been done. I can work on implementing that if I need to.

I noticed that if I try to ping the client's public IP address from an outside source, I don't get a response back (unless I added a policy into the firewall to allow ICMP traffic from "External", which I successfully did a few seconds ago for testing purposes - that rule has since been reverted to not respond to external ping requests).

There's a policy in the firewall for allowing SSLVPN Traffic authentication requests coming from any external source TO the Firebox, and then to do the authentication / actually allow the VPN traffic, there's a policy allowing traffic for anyone in the SSLVPN-Users group to flow between that user and the inside network.

So my questions are:

  1. Has anyone seen these errors before from the Watchguard VPN Client, and/or do you have any suggestions on how I can resolve that error?
  2. If I need to setup logging server to grab the firewall logs (in order to further troubleshoot this issue), how complicated a task is that and does it require a lot of system resources? The organization I'm consulting with only has 1 server and not a lot of resources or technical know-how.
David W
  • 3,405
  • 5
  • 34
  • 61
  • Watchguard client is not working on windows XP and Windows Vista. Please refer to Mobile VPN with SSL connections are not supported from windows XP and Windows Vista. WatchGuard recommends you do not use any OS or browser version that does not support secure encryption standards. Please refer to [enter link description here](http://watchguardsupport.force.com/publicKB?type=KBArticle&SFDCID=kA2F0000000QC3UKAW&lang=en_US) – Salem GALOUL Dec 02 '16 at 09:46

1 Answers1

5

Every time I run into this the fix is usually use remote.domain.com:4100. Even if your policy says to use port 22 or 443 you must still append the :4100 after just like your downloading the SSLVPN client.

David V
  • 840
  • 1
  • 8
  • 15
  • That worked... sort-of. I got a whole lot further, but I'm still having issues (getting new messages in the log now. I'll update the question, although I sort-of feel like opening a new question). Thanks for the response. – David W Jun 28 '13 at 13:13
  • The updated log looks like it's an issue with the ISATAP on the client. In the Watchguard System Manager if you open up your policy manager -> VPN menu -> Mobile VPN -> SSL verify the primary and/or backup firebox IP addresses and the virtual IP address pool the clients use. – David V Jun 28 '13 at 13:56
  • This could get into a long discussion. I'll open a new question. Thanks. – David W Jun 28 '13 at 19:01