We are using the Mobile SSL VPN Client version 12.11.4 with an M290 on firmware 12.11.3.B719894.
With SAML requests going to Entra/Azure

When I installed Office 2021 LTSC.
I said yes to the prompt asking if I wanted to allow my credentials to be used to log in to all Microsoft products. (Office, Teams, Onedrive, Edge, ect ect).

I've applied the 12.11.4 workaround in regards to copying the WatchGuard folder to the AppData/local folder.
When I run the client and auth with SAML. The webview2 window opens and is white for a few seconds, and then says You've been successfully authenticated and nothing happens. The window doesn't close, and the connection doesn't establish.
The log shows the following.
2025-09-26T10:16:04.300 Requesting client configuration from XXX.XXX.XXX.XXX:443
2025-09-26T10:16:07.991 Navigation complete.

If I right-click within the WebView2 window and click refresh, it closes the window and completes the connection successfully to the firewall.

I assume that the prompt with the Office install to use the credentials is allowing me to bypass actually having to go through the auth process on the webview2 screen.
My co-worker specified No on that Office install screen when prompted to use the creds for all Microsoft products, because he wants to be able to log in to each Microsoft product with different creds. He has to go through the whole login process on the webview2 screen in order to authenticate the SAML VPN connection.

2026-04-08 14:21:55 Primary admd Authentication of Firewall user [user@Firebox-DB] from 10.10.10.10 was accepted msg_id="1100-0004" Event
2026-04-08 14:21:55 Primary sslvpn Mobile VPN with SSL user user logged in. Virtual IP address is 0.0.0.0. Real IP address is 10.10.10.10. msg_id="2500-0000" Event
2026-04-08 14:21:55 Primary sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=10.10.10.10, dropin_mode=0 Debug
2026-04-08 14:21:56 Secondary sslvpn Mobile VPN with SSL user user logged in. Virtual IP address is 0.0.0.0. Real IP address is 10.10.10.10. msg_id="2500-0000" Event
2026-04-08 14:21:56 Secondary sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=10.10.10.10, dropin_mode=0 Debug
2026-04-08 14:21:58 Primary Allow 10.10.10.10 20.20.20.20 https/tcp 55184 443 Internet-Fiber Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 6 S 2209399070 win 61690" geo_src="DEU" geo_dst="DEU" Traffic
2026-04-08 14:21:59 Primary admd Authentication of Firewall user [user@Firebox-DB] from 10.10.10.10 was rejected, invalid credentials or user doesn't exist msg_id="1100-0005" Event

What am I doing wrong? I also tried different passwords.

There is also AuthPoint configured. AuthPoint Authentication Server is set as default.

We can install the software through Intune using this command which works fine:
WG-MVPN-SSL_12_11_5.exe /autokill /silent /verysilent

However it restarts the device, is there a way to suppress the restart? I have set this option in Intune but I think it might require a command line switch instead,

Thank you

I tried setting up something manually from the Android config file but couldn't get it to work, and just wondered if someone had already done this and/or can point me in the right direction? I couldn't find much from searching both Watchguard Docs and this forum or Google.

Thanks
Keith

Getting the following error when trying to download IKEv2 VPN Config for clients.

What is happening here?

However, no matter how many times I tried, I was unsuccessful at connecting to my VPN. Using the same network, and the same username/password, my (AMD64-based system sitting right next to it connects perfectly. Like it always does.

Is Windows On Arm supposed to be supported? Is there something I need to do to enable this?

If this doesn't currently work, that seems to be me to be a pretty big problem. The Surface Pro X and other Windows On Arm based laptops are being positioned a premier machines for "executive" type knowledge workers (that's code for folks who read a lot of email and edit lot of documents).

Help?

Peter

I've been reading about this new WireGuard vpn, which seems to be quite performante compared to other vpn types and will also be integrated in the linux kernel (if it isn't already).
Does WatchGuard have plans to integrate this new VPN type?

Thanks!

Greetings,

Thibaud

We have a strange problem: We deploy IKEv2 vpn connections to Windows clients via Intune. This works perfectly fine!

The users can connect and work via RDP etc. But as soon as they transfer larger files the vpn connection drops suddenly and they have to reconnect.

In the log of the firewall we find entries like this:

drop the received IKEv2 message from aaa.bbb.ccc.ddd:1040 - reason="no IkeV2SA is found"

The problem happens also internally if I'm in an optional network (guest wifi) and connect via VPN to the trusted network.

Interestingly: When we deploy the same connection via powershell it works perfectly!

Does anybody know which Intune settings can cause this "no IkeV2SA is found" problem?

I cant find anything in the net.

Thanks

Axel

Has anybody else experienced this phenomena? Any tips or tricks I might not be aware of? Authentication through Entra works fine, right up until the Firebox receives the reply. According to the AIs, it's related to SAML for Firebox authentication and Mobile VPN authentication being split on some models but not all, but as I can't find definite sources on that it's difficult to tell whether that's AI hallucination or not.

I've been cursing the Mobile VPN client versions 12.11.3 and 12.11.4 for a while now, thought the issues finally got fixed with 12.11.5 but in combination with FireOS 12.11.6 it's proven an unreliable mess. (Tried creating a ticket, but that form also jammed when I clicked send.)

I use a M290 Cluster and 2FA is activated. Will there a benefit to change this setting and is it really faster?

What will happen when I change this setting? Are all users who are using the SSLVPN client still able to connect? Whats will happen to the users which are using the ovpn-file on android or linux? Do they have to change something?

icmp from lan to ikev2 muvpn client shows up like
Allow 192.168.22.22 192.168.114.3 echo-request/icmp Trusted External Allowed 60 127 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="x.x.x.x" type="8" dst_user="xxx@xxx" Traffic

so the firewall is going to nat from die external ip instead of routing

any ideas ?

How can I configure so my dimension sends an mail when there is a failed login attempt via SSL VPN?
And also when there is a successful login.

I cannot for my life find where and how to do that.

Model: FireboxV Medium
Version: 12.11.4.B722644

Having some recent issues with my virtual firebox and Mobile SSL users connecting. This has worked fine for a couple of years, but the last couple of months have seen various users getting "timed out" and "Failed to get domain name" error messages.

We use AD to authenticate, as we have for years. With the DCs for the domain residing behind the virtual firewall, on a trusted network.

I have three physical fireboxes connected to the virtual firebox via BOVPN (in different locations), and the same users can authenticate fine to those - using the same DCs behind the virtual firebox (Switching the server address to the physical devices). So it is only the virtual firewall direct that is causing the issues.

I have spoken to the datacentre engineers, where the virtual firewall resides, and we have run various network checks and nothing has cropped up. General internet access from the virtual firewall and the BOVPN tunnels are all working fine.

Some users have had no issues at all and continue to logon to the Virtual firebox without issue. But others (including myself) just can't connect using it. So we have to use one of the other physical devices.

Open to ideas and things to check before I raise a proper ticket with WatchGuard.

Regards,
Chris Snape

They currently have a Firebox T30 with a mobile VPN configured. In the interface settings, the existing external IP is set to the public IP xxx.xxx.xxx.110, and the gateway is xxx.xxx.xxx.109.

The new ISP has provided a new router and specified the IP assigned via PPPoE, but no additional details were given.

The default IP for the new router is 192.168.1.1.

Could anyone provide guidance on the simplest way for someone with limited experience to update the external configuration to work with the new router?

i want to renew the Saml Certificate on our firebox. But i can't found any Option to replace the X509 Certificate for saml. Please help.

Thanks a lot.

we would like to set up an IKEv2 VPN connection for our Apple iPhones. User authentication should be done via a certificate. Is that possible? If so, what needs to be configured?

We are currently using a Firebox M390 with version 12.11.4.

Thank you very much.

The context help in Watchguard Cloud says this:

So in the DNS section Public and Internal are set like this. (100.100 is used internally at client)

To me the above above makes sense. Any domain.com queries to by a VPN client should be answered by the servers on the Internal DNS screen. But they aren't.

The Knowledge Base gives conflicting information to Help if I am interpreting it correctly.

So entering an internal DNS server on the Public section is needed to resolve the Internal hosts? I works, but is this really the way it is supposed to work or is there another way to configure this that when reviewing the config does not look wrong?

Hopefully I have just overlooked something.

I am connecting to a Firebox M290 at our office from my home, which has Spectrum 1Gbps (40Mbps up) cable internet and just the default Spectrum router. I'm on a Macbook Pro M1 and OSX 13.7.x, and use the default Mac VPN client for connecting. Our office has a Mac Mini Server that I connect to, using AFP (but have tried SMB as well).

I have no idea if a robust, name-brand home router would make any difference in helping keep my VPN connection connected, but need to get a new one anyway, so figured I'd ask. Don't need crazy mesh WiFi or anything, just solid performance. I connect to router via 1Gb ethernet.

RANDOM DISCONNECTS
I worked with WatchGuard support agents for probably 8+ months back-and-forth trying to find a solution for my VPN connection that would randomly disconnect, but they were not able to come up with anything, so we gave up and I just deal with random disconnects. We have both IKEv2 and L2TP protocols enabled, which I connect to via the built-in Mac VPN client. When using IKEv2, which I prefer due to being split-tunnel, I get sudden, completely random disconnects throughout a workday (maybe 2-3 on a bad day). When using L2TP, the connection is more solid until I try to upload files to our server. What we were told about this was that the connection was getting saturated so the keep-alive or DPD messages would fail causing the disconnects. I only recently bumped my upload speed from 20Mbps to 40Mbps, but still not any more reliable. Hoping the eventual move to synchronous speeds may help, but that may be months/years away.

THANKS FOR ANY ADVICE!

From time to time, our users get the following 403 error (especially the first time they are authenthenticating, thereafter it happens sporadically)

In the Firewall, I found the following relevant logs:

,C03904C857A4C,db,"FWStatus, dnip_earlydrop_process, DNIP number of office.com has decreased below WATERMARK[250], pri=3, proc_id=fqdnd, msg_id=",15256985,2025-01-07 11:23:21
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15267913,2025-01-07 11:26:58
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 10 : certificate has expired) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272497,2025-01-07 11:28:33
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 18 : self-signed certificate) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272496,2025-01-07 11:28:33
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15273869,2025-01-07 11:28:58
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:29:31 [error] 7211$0: *112997 directory index of ""/usr/share/web/none/"" is forbidden, client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15275559,2025-01-07 11:29:31
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15278171,2025-01-07 11:30:20
,C03904C857A4C,db,"FWStatus, ACS: no client associated for the request, pri=3, proc_id=samld, msg_id=",15282057,2025-01-07 11:31:43
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:31:44 [error] 7211$0: *113003 open() ""/usr/share/web/none/favicon.ico"" failed (2: No such file or directory), client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15282070,2025-01-07 11:31:44
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:32:02 [error] 7211$0: *113006 directory index of ""/usr/share/web/none/"" is forbidden, client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15282654,2025-01-07 11:32:02
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15284911,2025-01-07 11:32:54
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:33:12 [error] 7211$0: *113013 open() ""/usr/share/web/none/favicon.ico"" failed (2: No such file or directory), client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15285738,2025-01-07 11:33:12
,C03904C857A4C,db,"FWStatus, ACS: user john.doe@company.com from sslvpn_client logged in, pri=6, proc_id=samld, msg_id=",15285737,2025-01-07 11:33:12

I'm most interested in the error entries regarding the certificate:

,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 10 : certificate has expired) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272497,2025-01-07 11:28:33
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 18 : self-signed certificate) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272496,2025-01-07 11:28:33

I've tried to update the Trusted CA certificates for proxies in the Firebox System Manager, but as far as I can tell there is no certificate which responds to this description.

The other error which happens a lot (also on other times) is this one:
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15267913,2025-01-07 11:26:58

I also got a similar Fault report - I've sent it to watchguard but not sure what els I could do with this.

So to summarize: how could I resolve this 403 error which happens from time totime?

FYI I'm using Mobile VPN with SSL client 12.11

However, the VPN connection does not proceed automatically. Users are required to manually right-click and select "Refresh" in order for the VPN to hook the ssl client authentication process and complete the connection.