Options

Vpn SSL error

Marcos_rodriguezMarcos_rodriguez
edited October 2020 in Firebox - Management Software

Good morning, I have ssl VPN configured and working correctly with Mobile VPN with SSL client, we have to change the Internet provider and we have a router and public IP change.

With the change of this IP the Mobile VPN with SSL client does not work but if I can connect with OPEN-VPN, I attach a log of the connections.

The router has a public ip -removed- and has DMZ enabled at ip -removed- which is the external interface of the firewall

Connection log with error:
Log Mobile VPN with SSL

2020-10-08T09:20:11.211 WatchGuard Mobile VPN with SSL client is already running. Passing command line to process.
2020-10-08T09:20:36.704 Requesting client configuration from -removed-:444
2020-10-08T09:20:40.271 VERSION file is 5.33, client version is 5.33
2020-10-08T09:20:40.773 LaunchOpenVPN: openvpn full command-line(first 8 chars): "C:\Prog, length: 248
2020-10-08T09:20:40.773 LaunchOpenVPN: vpn config full path(first 8 chars): C:\Users, length: 56
2020-10-08T09:20:41.307 OVPN:>HOLD:Waiting for hold release:0
2020-10-08T09:20:41.376 OVPN:>LOG:1602141641,D,MANAGEMENT: CMD ''
2020-10-08T09:20:41.376 OVPN:>LOG:1602141641,D,MANAGEMENT: CMD 'hold release'
2020-10-08T09:20:41.376 OVPN:SUCCESS: hold release succeeded
2020-10-08T09:20:41.376 OVPN:>PASSWORD:Need 'Auth' username/password
2020-10-08T09:20:41.460 OVPN:>LOG:1602141641,D,MANAGEMENT: CMD 'username "Auth" "VPN_OFICINAS_SISTEMAS"'
2020-10-08T09:20:41.460 OVPN:SUCCESS: 'Auth' username entered, but not yet verified
2020-10-08T09:20:41.460 OVPN:>LOG:1602141641,D,MANAGEMENT: CMD 'password [...]'
2020-10-08T09:20:41.460 OVPN:SUCCESS: 'Auth' password entered, but not yet verified
2020-10-08T09:20:41.460 OVPN:>LOG:1602141641,I,TCP/UDP: Preserving recently used remote address: [AF_INET]-removed:444
2020-10-08T09:20:41.460 OVPN:>LOG:1602141641,,Socket Buffers: R=[65536->65536] S=[65536->65536]
2020-10-08T09:20:41.460 OVPN:>LOG:1602141641,I,Attempting to establish TCP connection with [AF_INET]removed:444 [nonblock]
2020-10-08T09:20:41.460 OVPN:>LOG:1602141641,,MANAGEMENT: >STATE:1602141641,TCP_CONNECT,,,,,,
2020-10-08T09:20:41.460 OVPN:>STATE:1602141641,TCP_CONNECT,,,,,,
2020-10-08T09:22:42.507 OVPN:>LOG:1602141762,N,TCP: connect to [AF_INET]removed:444 failed: Unknown error
2020-10-08T09:22:42.507 OVPN:>LOG:1602141762,I,SIGUSR1[connection failed(soft),init_instance] received, process restarting

Log Firewall

2020-10-08 09:25:37 Allow removed removed snpp/tcp 16191 444 0-FIBRA Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 4198794142 win 61690" Traffic
2020-10-08 09:25:38 sessiond receive wgapi message: cmd=1 xpath=/toSessiond/sslvpnFind from=0xce40371d serial=8013035068DDE Debug
2020-10-08 09:25:38 sessiond process status xpath /toSessiond/sslvpnFind Debug
2020-10-08 09:25:38 admd admAuthenticateUserWithGroup: LocalDB: DEBUG=> groupList[0]=SSLVPN-Users Debug
2020-10-08 09:25:38 admd admLocalDbVerifyWithType: LocalDB: VPN_OFI is a SSLVPN user Debug
2020-10-08 09:25:38 sslvpn Received Session Status Change event, current state:0x0 Debug
2020-10-08 09:25:38 sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=removed, dropin_mode=0 Debug
2020-10-08 09:25:38 sslvpn Mobile VPN with SSL user VPN_OFI logged in. Virtual IP address is 0.0.0.0. Real IP address is removed. msg_id="2500-0000" Debug
2020-10-08 09:25:38 sslvpn Entering function sslvpn_client_event, event is 262145 Debug
2020-10-08 09:25:38 sslvpn Entering function sslvpn_client_event, event is 33554435 Debug
2020-10-08 09:25:38 sessiond __sess_prcs_sess_find, response:<?xml version="1.0"?> 3 1 140 VPN_OFI 3 28800 180 Firebox-DB 0 0 0 0000000000000000 0000000000000000 86d1b5349f5e8c8ec9bb5ee96150b6446118cec9 1 0x0 removed 0.0.0.0 SSLVPN-Users Debug
2020-10-08 09:25:39 Allow removed removed snpp/tcp 16192 444 0-FIBRA Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 3122594259 win 65535" Traffic
2020-10-08 09:25:39 Allow remoovved removed snpp/tcp 16193 444 0-FIBRA Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 2535621674 win 65535" Traffic
2020-10-08 09:25:39 Allow removed removed snpp/tcp 16194 444 0-FIBRA Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 2438602040 win 65535" Traffic

Comments

  • Options
    Marcos_rodriguezMarcos_rodriguez
    edited October 2020

    For the case of a correct connection the public IP is removed
    Connection log ok

    2020-10-08 09:47:18 Allow removed removed snpp/tcp 5808 444 5-RADIO_ENLACE External Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 1735045523 win 61690" Traffic
    2020-10-08 09:47:19 Allow removed removed snpp/tcp 5809 444 5-RADIO_ENLACE External Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 764066970 win 65535" Traffic
    2020-10-08 09:47:19 Allow removed removed snpp/tcp 5811 444 5-RADIO_ENLACE External Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 2984773804 win 65535" Traffic
    2020-10-08 09:47:19 sessiond receive wgapi message: cmd=1 xpath=/toSessiond/sslvpnFind from=0xd3003842 serial=8013035068DDE Debug
    2020-10-08 09:47:19 sessiond process status xpath /toSessiond/sslvpnFind Debug
    2020-10-08 09:47:19 admd admAuthenticateUserWithGroup: LocalDB: DEBUG=> groupList[0]=SSLVPN-Users Debug
    2020-10-08 09:47:19 admd admLocalDbVerifyWithType: LocalDB: VPN_OFI is a SSLVPN user Debug
    2020-10-08 09:47:19 sslvpn Entering function sslvpn_client_event, event is 262145 Debug
    2020-10-08 09:47:19 sslvpn Entering function sslvpn_client_event, event is 33554435 Debug
    2020-10-08 09:47:19 sslvpn Received Session Status Change event, current state:0x0 Debug
    2020-10-08 09:47:19 sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=removed, dropin_mode=0 Debug
    2020-10-08 09:47:19 sslvpn Mobile VPN with SSL user VPN_OFI logged in. Virtual IP address is 0.0.0.0. Real IP address is removed. msg_id="2500-0000" Debug
    2020-10-08 09:47:19 sessiond __sess_prcs_sess_find, response:<?xml version="1.0"?> 3 1 155 VPN_OFI 3 28800 180 Firebox-DB 0 0 0 0000000000000000 0000000000000000 86d1b5349f5e8c8ec9bb5ee96150b6446118cec9 1 0x0 removed 0.0.0.0 SSLVPN-Users Debug
    2020-10-08 09:47:19 Allow removed removed snpp/tcp 5812 444 5-RADIO_ENLACE External Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 1854326002 win 65535" Traffic
    2020-10-08 09:47:22 Allow removed removed snpp/tcp 5814 444 5-RADIO_ENLACE External Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 6 S 1363704152 win 61690" Traffic
    2020-10-08 09:47:23 sslvpn entered username is VPN_OFI, domain_user is VPN_OFI Debug
    2020-10-08 09:47:23 sslvpn extracted username is VPN_OFI, auth domain is (null) Debug
    2020-10-08 09:47:23 sslvpn preparation done: user=VPN_OFI, domain=Firebox-DB auth_type=0, user_type=0 Debug
    2020-10-08 09:47:23 sslvpn Find existing session: find_flag=2 Debug
    2020-10-08 09:47:23 sessiond receive wgapi message: cmd=1 xpath=/toSessiond/sslvpnFind from=0x8740378a serial=8013035068DDE Debug
    2020-10-08 09:47:23 sessiond process status xpath /toSessiond/sslvpnFind Debug
    2020-10-08 09:47:23 sessiond __sess_prcs_sess_find, response:<?xml version="1.0"?> 3 1 155 VPN_OFI 3 28800 180 Firebox-DB 0 4 4 0000000000000000 0000000000000000 86d1b5349f5e8c8ec9bb5ee96150b6446118cec9 2 0x0 removed 0.0.0.0 SSLVPN-Users Debug
    2020-10-08 09:47:23 sslvpn found existing sslvpn session, sid=155, user=VPN_OFI, domain=Firebox-DB, from=removed Debug
    2020-10-08 09:47:23 sslvpn OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook: no virtual IP avaliable yet, don't update session Debug
    2020-10-08 09:47:23 sslvpn Entered in sslvpn_takeaddr Debug
    2020-10-08 09:47:23 sslvpn Arguments which needs to be sent:openvpn_add 0 1602143243 0 Debug
    2020-10-08 09:47:23 sslvpn Going to open wgipc: Debug
    2020-10-08 09:47:23 sslvpn assign ip address, rip=c0a87102, lip=0, common_name=0 Debug
    2020-10-08 09:47:23 sslvpn Sending Data by wgipc to sslvpn_takeaddr is Success,Buffer:192.168.113.2:0.0.0.0:0 Debug
    2020-10-08 09:47:23 sslvpn Success,Sending Data to sslvpn_firecluster:openvpn_add 0 1602143243 0 Debug
    2020-10-08 09:47:23 sslvpn Result received on ipc socket:192.168.113.2:0.0.0.0:0 Debug
    2020-10-08 09:47:23 sslvpn entered username is VPN_OFI, domain_user is VPN_OFI Debug
    2020-10-08 09:47:23 sslvpn extracted username is VPN_OFI, auth domain is (null) Debug
    2020-10-08 09:47:23 sslvpn preparation done: user=VPN_OFI, domain=Firebox-DB auth_type=0, user_type=0 Debug
    2020-10-08 09:47:23 sslvpn Find existing session: find_flag=3 Debug
    2020-10-08 09:47:23 sessiond receive wgapi message: cmd=1 xpath=/toSessiond/sslvpnFind from=0x9a00378a serial=8013035068DDE Debug
    2020-10-08 09:47:23 sessiond process status xpath /toSessiond/sslvpnFind Debug
    2020-10-08 09:47:23 sessiond __sess_prcs_sess_find, response:<?xml version="1.0"?> 3 1 155 VPN_OFI 3 28800 180 Firebox-DB 0 4 4 0000000000000000 0000000000000000 86d1b5349f5e8c8ec9bb5ee96150b6446118cec9 3 0x0 removed 0.0.0.0 SSLVPN-Users Debug
    2020-10-08 09:47:23 sslvpn found existing sslvpn session, sid=155, user=VPN_OFI, domain=Firebox-DB, from=removed Debug
    2020-10-08 09:47:23 sslvpn update existing session sid=155 ipc_addr=905983882 OK Debug
    2020-10-08 09:47:23 sslvpn Entering function sslvpn_client_event, event is 262145 Debug
    2020-10-08 09:47:23 sslvpn Entering function sslvpn_client_event, event is 33554435 Debug
    2020-10-08 09:47:23 sessiond SSL VPN user VPN_OFI@Firebox-DB from removed logged in assigned virtual IP is 192.168.113.2 msg_id="3E00-0002" Event
    2020-10-08 09:47:23 sslvpn Received Session Status Change event, current state:0x0 Debug
    2020-10-08 09:47:23 sslvpn Session delete event, entry->virtual_ip=0.0.0.0, entry->real_ip=removed, dropin_mode=0 Debug
    2020-10-08 09:47:23 sslvpn Entering function sslvpn_client_event, event is 262145 Debug
    2020-10-08 09:47:23 sslvpn Entering function sslvpn_client_event, event is 33554435 Debug
    2020-10-08 09:47:23 sslvpn Received Session Status Change event, current state:0x0 Debug
    2020-10-08 09:47:23 sslvpn sslvpn_event, add entry, entry->virtual_ip=192.168.113.2, entry->real_ip=removed, dropin_mode=0 Debug
    2020-10-08 09:47:23 sslvpn Mobile VPN with SSL user VPN_OFI logged in. Virtual IP address is 192.168.113.2. Real IP address is removed. msg_id="2500-0000" Debug
    2020-10-08 09:47:23 sslvpn ip=192.168.113.0, netamsk=255.255.255.0 Debug
    2020-10-08 09:47:23 sslvpn SSLVPN IP pool isn't subnet of trusted/optional net, no need to add arp proxy. Debug

    Thank you

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    edited October 2020

    Hi @Marcos_rodriguez

    The SSLVPN is based on OpenVPN -- and won't be able to exist with multiple versions of the TAP adapter OpenVPN and its variants install. Please try uninstalling all VPN type applications (anything that is based on OpenVPN,) rebooting, and installing just the WatchGuard VPN client.

    I've gone through your posts and removed all references to your IP addresses. In the future, please do not post personally identifiable information to the forums -- as they're publicly viewable and searchable. If you need to share personal data like your IP addresses, please consider opening a technical support case where this can be done privately.

    -James Carson
    WatchGuard Customer Support

  • Options
    Marcos_rodriguezMarcos_rodriguez
    edited October 2020

    Good morning, thanks for your answer and for the suggestion, but I had the precaution of modifying the ip and users.

    Both software are working properly.

    The problem I have is that we have changed the public ip and the router, with the same configuration in the Firewall changing the ip, does not work for me, but I have made progress these days.

    I show the current configuration.

    Ip publishes router 8.8.8.21
    Lan of the router 8.8.8.0/24 and the ip for the router is 8.8.8.1.
    Firewall external ip 8.8.8.4.

    I have modified in all the Vpn services that I have mounted such as ipsec and ssl (l2tp does not give an option to configure public ip, so any external that is enabled works)

    If I use openvpn ssl it works fine.
    If I use watchguard ssl client it does not work if I have configured in the primary ip 8.8.8.4, but testing I have changed and I have put the same one that has the router 8.8.8.21 and with this it works for me, although when saving the configuration the system manager of the firebox It warns me that it is not an IP of your external, as is logical.

    The same for L2TP does not work for me and I think it is the same problem as before, but here we do not put any public IP.

    The router has DMZ enabled at ip 8.8.8.4 which is the Firewall.

    What solution is there for this problem?

    A greeting.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Marcos_rodriguez

    Based on what I can see here, I think the best thing you can do is create a support case so that the support team can look at your firewall. You can do this by using the support center link at the top right of the screen.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.