mobile ssl vpn immediate disconnects

I have an odd problem with some installs of Mobile SSL vpn. The client authenticates, connects, adds routes and then immediately disconnects. This happens on only 3 of our clients so far, different machines, different operating systems. Client uninstall and re-install does not resolve the issue. Can anybody shed any light?

Comments

  • What firewall model & XTM version do you have?
    What are the OSes of the problem devices?
    Anything obvious in Traffic Monitor for these problem connections?

    You can turn on diagnostic logging for SSLVPN which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • Also, anything obvious in the SSLVPN client logs?
    Right click on the icon in the Windows System tray, select View Logs

  • Check that you have the TAP driver installed. We had this issue and it was due to installing the software silently which did not automatically install the TAP driver like is requested when installed manually.

  • If you use Windows 10, run the installer as Administrator or else the TAP driver may not install correctly.

    Gregg Hill

  • Did you resolve the problem? I have exactly the same problem. I discovered that it happens with some internet home connections (FTTH connections, Movistar, Vodaphone...). The same client (laptop) connected from a FTTH connection (does not works) and then connected througt 4G (with his smartphone) works, or connected from a professional office (FTTO connection) works. Thanks

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Jaume
    That type of disconnect would suggest that you're getting a reset sent to you when you try to connect.

    -Make sure that you're using the standard port (443/tcp)
    -If you're using a mobile router, make sure that any options that look like "allow VPN pass-thru" are enabled.

    If you continue to run into that issue, I'd suggest opening a support case.

    -James Carson
    WatchGuard Customer Support

  • I ran into an issue connecting after installing a SOPHOs VPN client. Ended up reinstall the Watchguard SSL VPN client and it started to work again. SOPHOS must have tweaked the TAP client.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Bill_F

    Looking at Sophos' SSLVPN client, theirs appears to be based on OpenVPN (lots of vendors do this for compatibility.) -- Your assessment is likely correct.

    I can't speak to Sophos' implementation, but our SSLVPN installer does have an option to not install (and ergo, use the existing installed) TAP driver. Reinstalling our client would have also registered it with the correct one.

    If both clients are working, they should be registered with the correct driver they're using.

    -James Carson
    WatchGuard Customer Support

  • So I'm having same issue it disconnecting right away. Usually I have re-installed and it fixes it, but it is still not working after installing again. I turned on debug. Here is the log below. I don't see anything on Server logs. Will look a little closer to see if I can notice anything. I use the timestamps to try to sync the logs. From the client log looks like client is resetting connection because it received "event_wait returned 1"? Has anyone seen this?

    2023-12-27T15:20:14.413 Requesting client configuration from jfgc.selfip.com:443
    2023-12-27T15:20:29.632 auth failed
    2023-12-27T15:20:33.513 OVPN:>HOLD:Waiting for hold release

    2023-12-27T15:20:33.592 OVPN:>LOG:1703708433,D,MANAGEMENT: CMD ''

    2023-12-27T15:20:33.593 OVPN:>LOG:1703708433,D,MANAGEMENT: CMD 'hold release'

    2023-12-27T15:20:33.593 OVPN:SUCCESS: hold release succeeded

    2023-12-27T15:20:33.594 OVPN:>PASSWORD:Need 'Auth' username/password

    2023-12-27T15:20:33.672 OVPN:>LOG:1703708433,D,MANAGEMENT: CMD 'username "Auth" "tom"'

    2023-12-27T15:20:33.672 OVPN:SUCCESS: 'Auth' username entered, but not yet verified

    2023-12-27T15:20:33.673 OVPN:>LOG:1703708433,D,MANAGEMENT: CMD 'password [...]'

    2023-12-27T15:20:33.673 OVPN:SUCCESS: 'Auth' password entered, but not yet verified

    2023-12-27T15:20:33.749 OVPN:>LOG:1703708433,,Control Channel MTU parms [ L:1571 D:140 EF:40 EB:0 ET:0 EL:0 ]

    2023-12-27T15:20:33.750 OVPN:>LOG:1703708433,,Socket Buffers: R=[65536->65536] S=[65536->65536]

    2023-12-27T15:20:33.751 OVPN:>LOG:1703708433,,MANAGEMENT: >STATE:1703708433,RESOLVE,,,

    2023-12-27T15:20:33.751 OVPN:>STATE:1703708433,RESOLVE,,,

    2023-12-27T15:20:33.752 OVPN:>LOG:1703708433,,Data Channel MTU parms [ L:1571 D:1450 EF:71 EB:4 ET:0 EL:0 ]

    2023-12-27T15:20:33.754 OVPN:>LOG:1703708433,,Local Options String: 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'

    2023-12-27T15:20:33.755 OVPN:>LOG:1703708433,,Expected Remote Options String: 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'

    2023-12-27T15:20:33.756 OVPN:>LOG:1703708433,,Local Options hash (VER=V4): '68e0a8e4'

    2023-12-27T15:20:33.757 OVPN:>LOG:1703708433,,Expected Remote Options hash (VER=V4): '070d3472'

    2023-12-27T15:20:33.758 OVPN:>LOG:1703708433,I,Attempting to establish TCP connection with [AF_INET]73.201.157.93:443 [nonblock]

    2023-12-27T15:20:33.759 OVPN:>LOG:1703708433,,MANAGEMENT: >STATE:1703708433,TCP_CONNECT,,,

    2023-12-27T15:20:33.759 OVPN:>STATE:1703708433,TCP_CONNECT,,,

    2023-12-27T15:20:34.797 OVPN:>LOG:1703708434,I,TCP connection established with [AF_INET]73.201.157.93:443

    2023-12-27T15:20:34.798 OVPN:>LOG:1703708434,I,TCPv4_CLIENT link local: [undef]

    2023-12-27T15:20:34.799 OVPN:>LOG:1703708434,I,TCPv4_CLIENT link remote: [AF_INET]73.201.157.93:443

    2023-12-27T15:20:34.800 OVPN:>LOG:1703708434,,MANAGEMENT: >STATE:1703708434,WAIT,,,

    2023-12-27T15:20:34.800 OVPN:>STATE:1703708434,WAIT,,,

    2023-12-27T15:20:34.801 OVPN:>LOG:1703708434,D, event_wait returned 1

    2023-12-27T15:20:34.802 OVPN:>LOG:1703708434,D,TCPv4_CLIENT WRITE [14] to [AF_INET]73.201.157.93:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=b0e0f1bf ada48006 [ ] pid=0 DATA

    2023-12-27T15:20:34.803 OVPN:>LOG:1703708434,D,TCPv4_CLIENT write returned 16

    2023-12-27T15:20:34.804 OVPN:>LOG:1703708434,D, event_wait returned 1

    2023-12-27T15:20:34.805 OVPN:>LOG:1703708434,N,Connection reset, restarting [0]

    2023-12-27T15:20:34.805 OVPN:>LOG:1703708434,,TCP/UDP: Closing socket

    2023-12-27T15:20:34.806 OVPN:>LOG:1703708434,I,SIGUSR1[soft,connection-reset] received, process restarting

    2023-12-27T15:20:34.807 OVPN:>LOG:1703708434,,MANAGEMENT: >STATE:1703708434,RECONNECTING,connection-reset,,

    2023-12-27T15:20:34.808 OVPN:>STATE:1703708434,RECONNECTING,connection-reset,,

    2023-12-27T15:20:34.808 OVPN:>HOLD:Waiting for hold release

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @jfgc1933

    You're getting connection resets:
    STATE:1703708434,RECONNECTING,connection-reset,,

    If the firebox isn't sending those, they may be coming from something else.
    -Antivirus/EDR type apps on local PC
    -Firewall app on local PC

    It may also be worth looking at your network devices -- there should be one TAP adapter there. If there's none, or multiple, there may be a problem.

    -If none, something might be erasing your TAP adapter, these are required for the SSLVPN to work.
    -If multiple, you may have more than one SSLVPN type app installed. Anything based on OpenVPN will usually install one. If the version number is the same, you can use the option in the SSLVPN installer to not install one during the process, and the VPN should register with the existing one.

    It may also be worth opening a support case for assistance, so that our team can take a look at your logs and assist.

    If your company's policy does not allow for the TAP adapter, you may wish to look into the IKEv2 VPN, which uses the VPN client built into most OSes vice needing to install one.

    -James Carson
    WatchGuard Customer Support

  • @james.carson So I turned of defender firewall. That's all I have running. That didn't help. I can connect with my laptop no problem from same network but wifi. All this used to work, just started happening on my PC. I have tried reinstalling and manually removing tap driver. There is only 1 tap driver. Also tried installing as admin. no dice.

    Also, I always get this message on my PC, even when it was working. "Could not download the configuration file from the server. Do you want to try to connect using the most recent configuration". I would just answer yes and it would connect ok. That is when it was working. Anyway, where is it getting this configuration file because it overwrites the current .ovpn file. I'm just wondering because the 2nd ip address is incorrect in there and want to change that. Do you know where this file is located? I would think if it can't download the file from server it just uses the one in "C:\Users\\AppData\Roaming\WatchGuard\Mobile VPN", but it seems to get information from somewhere else and it overwrites this file when I click yes. Would it store that info in the registry? I can't seem to find it. I have searched through the entire file system.

    Thanks,
    Tom

  • It is on the firewall.

    See the "Download the Mobile VPN with SSL Client Profile" section, here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_ovpn_profile_c.html

  • I had a similiar problem on certain surface tablets. Check your processor. I have confirmed with Watchguard that the TAP driver they provide does not work with ARM processors.

    I have a workaround though.

    Afterwards, your Watchguard SSL VPN will be able to connect.

  • @KBush said:
    I had a similiar problem on certain surface tablets. Check your processor. I have confirmed with Watchguard that the TAP driver they provide does not work with ARM processors.

    I have a workaround though.

    Afterwards, your Watchguard SSL VPN will be able to connect.

    Thank you so much! I spent over an hour screwing with this.
    I don't understand why Watchguard can't update the installer to at a minimum not install the TAP drive if the host CPU is an ARM processor and notify you to get an alternate

Sign In to comment.