Issue with SSLVPN 12.2 and latest Outlook Office 365

Hi,

We have been having issues to access outlook after latest builds (1902,1903)
This only occurs with SSLVPN 12.2 that we use, configured as force tunnel.

IKEv2 VPN works fine with remote gateway on.

Error msg from outlook is "Sorry, we can’t connect to your account. Please try again later"
If i flushdns after connecting to SSLVPN it's working again.
After reboot or reconnect same issue comes again.

Don't know if it's related to SSLVPN or Outlook or actually both but really annoing feature that is causing lot of problems.

Maybe some bug with client?

Comments

  • Best to open a support incident on this.

  • I opened case for it. I can reply result or solution here if someone needs it. This is only happening towards Office365 users using MFA and tenant has Modern authentication enabled.

  • ToniJoronen, Can you reply for the solution as we are having the exact same issue. Thanks

  • I had the same issue and it's due to the "TAP-Windows Adapter V9" network connection. Open the "TAP-Windows Adapter V9" network properties, and add a gateway to it that matches the IP address of the SSLVPN connection to the Firebox.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @DavidJ

    If you're running into an issue that's causing your VPN to not work, I'd suggest opening a support ticket so that one of our technicians can help.

    You can open a case online or via the phone here:
    https://www.watchguard.com/wgrd-support/contact-support

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • edited August 7

    James,

    In my case, the SSLVPN worked fine with everything except for Outlook connecting to Office 365 with multi-factor authentication and Modern Authentication enabled on the Office 365 tenant. The fix is the TAP adapter change I noted.

    EDIT:This issue is some of the information already answered on the old forums that did not get carried over to this new forum.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • The TAP Adapter change fixes it.. but... I don't want to do that for 250 people manually. Is there a baseline fix in the firewall yet?

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @CodyP

    I'd suggest opening a ticket if that won't work. If the fix that gets applied on the client (tap driver) is what fixes it, it's doubtful a change on the firewall will correct it.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi @CodyP

    I'd suggest opening a ticket if that won't work. If the fix that gets applied on the client (tap driver) is what fixes it, it's doubtful a change on the firewall will correct it.

    "...it's doubtful a change on the firewall will correct it."

    Can the firewall be made to set the correct gateway in the SSLVPN installer agent that it hands out on the login page?

    Or have DHCP on the firewall hand out the gateway to the remote computer as it hands out an IP and DNS when the computer connects? I just connected to my SSLVPN and the default gateway is blank.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @Greggmh123
    The gateway config is in the SSLVPN config that is downloaded, but the TAP driver has nothing to do with that config. It's part of the SSLVPN install itself.

    -James Carson
    WatchGuard Customer Support

  • James,

    The more I think about it, the more I wonder why DHCP on the SSLVPN does not hand out the gateway of the firewall's SSLVPN subnet. If it gave out the gateway, the problem would be solved.

    My LAN subnet is 192.168.16.0 and my SSLVPN is 192.168.35.0. Is there a reason that DHCP on a Firebox does NOT hand out the 192.168.35.1 address of the firewall as the gateway on the SSLVPN connection?

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Gregg - what issue are you having with a blank default gateway?
    I also see a blank gateway IP addr in V12.5.1 U1, but I don't have any issues with my setting of all traffic going over SSLVPN.

  • @Bruce_Briggs said:
    Gregg - what issue are you having with a blank default gateway?
    I also see a blank gateway IP addr in V12.5.1 U1, but I don't have any issues with my setting of all traffic going over SSLVPN.

    Bruce,

    The SSLVPN worked fine with everything except for Outlook 2016 connecting to Office 365 with multi-factor authentication and Modern Authentication enabled on the Office 365 tenant. The fix is the TAP adapter change of adding the gateway address to it. My SSLVPN subnet is 192.168.35.0, so the gateway manually added on the TAP adapter of the remote client is 192.168.35.1. That setup allows Outlook to connect. I never had the problem until I enabled MFA with Modern Authentication on my Office 365 tenant account.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Time for a support incident

  • I only have two computers that ever use the SSLVPN. Not worth hassling with an incident...yet.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.