Best Of

Re: SSLVPN 12.11.4 Internet connection issues

The above article title:
. When split tunnel VPN is configured, Mobile VPN with SSL Client v12.11.4 users cannot get access to Internet

Other SSLVPN V12.4 Known Issues:

. After upgrade to Mobile VPN with SSL v12.10.4, authentication to a Firebox from Windows fails
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr0000004fPZKAY&lang=en_US

. Firebox uses Mobile VPN with SSL tun0 IP address instead of Trusted to connect to AuthPoint Gateway
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA10H000000g3SbSAI&lang=en_US

. Mobile VPN with SSL connection fails for client accounts with Roaming User Profiles
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA10H000000g3U6SAI&lang=en_US

. Mobile VPN with SSL user does not get IP address
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA10H000000g6CTSAY&lang=en_US

. SAML login to SSL VPN fails if Carrier-Grade NAT uses multiple public IPs
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000DLLBKA4&lang=en_US

. Mobile VPN with SSL incorrectly sends an OTP prompt as a password when it authenticates users with AuthPoint
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000gDS0SAM&lang=en_US

. Mobile VPN with SSL client unexpectedly uses Windows LAN interface defined DNS servers over DNS servers defined by the VPN
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA10H000000g3csSAA&lang=en_US

. SSL VPN connections fail after the client requests the configuration from the Firebox
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000BxeHKAS&lang=en_US

. Non-HTTPS traffic over port 443 denied by cloud-managed Firebox
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000Bc3kSAC&lang=en_US

Plus some Mac specific ones.

Bruce_Briggs

1

Re: SSLVPN 12.11.4 Internet connection issues

We have exactly the same problem since the new SSLVPN 12.11.4 client. It occurs completely sporadically and without us being able to identify any connection, affecting various clients. The issue can be temporarily resolved by reconnecting, but then it reappears after a few hours, days, or even a week. Support from WatchGuard is very inconsistent, and you often get the impression that they are just stalling us and randomly requesting things like restarting the firewall, etc.
There is even a Knowledge Base article about this issue at: https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000E96fKAC&lang=en_US.

Hauke

1

Re: SSLVPN 12.11.4 Internet connection issues

WatchGuard is working on getting a collection of SSLVPN related bugs into a build that will be available shortly. Please stay tuned for an update.

Mark Boscolo
WatchGuard Support Manager.

mboscolo

2

Re: Failed update, adding back to the cluster

@james.carson Unfortunately i wasn't able to get the older file of the version from the website I did request it in the case to downgrade as a backup option, So we went with disable the cluster, update the live one, then reset the cluster up, was back up and running with in a hour, most of it was triple checking cluster settings were correct, before adding the member back. thank you for your help.

ANicholls

1

Re: Failed update, adding back to the cluster

Hi @ANicholls
If you can get the firewall out of recovery mode (assuming there isn't something wrong with it), you'll need to do one of two things:

-The firewall you reset needs to be at the same version number, so downgrade it to the correct version.
or
-Temporarily disable the cluster (by going to Firecluster -> Configuration, and uncheck enable firecluster, then save.) Once the cluster is disabled, you can upgrade that firewall as a standalone unit, and then reform the cluster once they're on the same version.

I would suggest the first option, as that should allow you to upgrade the cluster's Fireware version without both firewalls being down for any period.

If you are not getting responses during the time of day that you'd like in your support case, please check your hours of availability. Our ticketing system auto-assigns cases to our technicians based on that. If you're not able to do that, please let the technician know in your case, and they can update that for you.

james.carson

1

Re: Mobile VPN SSL high CPU

I came here to post and ask about this as well. I've seen this behavior on every machine I've had 12.11.4 installed on. Right now I'm on an older dual core /w hyperthreading machine and the client is pegged at 25% CPU

feek

1

Re: Mobile VPN SSL high CPU

Same here. 12.11.4 consumes too much CPU power while connected.

Naman

1

Re: Mobile VPN SSL high CPU

Maybe I didn't make myself clear...the high CPU means the PC side, not the Firebox. There is a significant change after updating from 12.11.3.

Juuso

1

Mobile VPN SSL high CPU

Is just me or has anybody else seeing hight CPU load with the new 12.11.4 version of the client? it is drawing around 15% all the time.

Juuso

1

Re: Firecluster with Multiwan - Layer 2 switch recommendations

Marc C, we currently have 5 ISP feeds (1 is an evaluation) into a M390 cluster and twin switches providing connectivity. My suggestion is to spend adequate money for the task because it will likely return that value many times.

bfife4

1