Getting error with Watchguard Ipsec VPN
Morning,
I seem to be experiencing an issue and am looking for a little nudge in the correct direction with solving it. Sorry if I am long winded, but here it is:
Snowstorm on Monday in NY here caused a lot of people to work from home, the most I have had in a long time. Most of the time I average 15 to 20 people on my VPN connection. So On Monday with the storm I was pushing over 30. Where anyone past the 25th connection could not communicate with the network.
I took over one of my users computers and logged in using the watchguard IPSEC vpn client and it connected no problem. But then it would not communicate with anything on the network. I opened a cmd prompt and tried pinging equipment in the network, and nothing, it would not let me ping anything.
Watching the Traffic monitor I got the following errors:
2021-02-02 09:52:46 Deny 10.10.10.230 10.10.10.51 dns/udp 63197 53 0-External 1-Trusted Denied 84 127 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="XXXX@Firebox-DB" Traffic
I know that shows one of my VPN clients at .230 trying to communicate with one of my internal DNS servers at .51. I have gone through the help files and found the two possibilities that it could be. One, the IP range not having permission to access the network or the users not being in the group that is assigned to the policy.
This is a watchguard M200 that I brought online in August at a new building that we moved to. Prior to that at our old office location I had the older machine configured the same way, and had no issues with over 25 users, since that was during the height of Covid and we had 40 plus people using it and working remotely.
I have two virtual IP pools defined:
1. First at 10.10.10.75 to 10.10.10.99
2. Second at 10.10.10.226 to 10.10.10.250
I set them up at the same time, so they all went in when I configured the IPSEC vpn through the wizard
It is a small company, so I only have one group setup at the moment (when I get time I want to change it around and lock stuff down more, but I'm just trying to keep everyone working during Covid and the Moving of our company to a new location). Everyone is assigned to the VPN group I created.
So after all that my question is (I know finally):
Why does anyone who connects and gets an IP address in the First Pool work properly and anyone who gets an IP address in the second pool can not properly communicate with the network?
Should I delete the second pool and redefine it? Will that effect anything with the first pool. I mean at my old office on my old Firebox, I had a messed up set of pools with some addresses here and some there, and it worked fine. So I guess I am just missing something and I cant find it.
Other information:
Uptime currently is 180 days
Fireware OS V 12.5.3
Using the standard Mobile VPN with IPsec rule of any in the policies.
Thanks All!
---Brian
Answers
Sounds like a bug.
Consider opening a support incident on this.
Thanks for the response Bruce. Submitting support incident.
Oops, sorry, I guess I should have updated this issue. But worked with watchguard, and they didn't find anything wrong with my configurations. So we went with the bit I had suggested for myself, to delete off the IPs that were causing problems, saved it all back to the unit. Then re-added those IPs back to the virtual pool, and save it again. After that they started functioning correctly!
Thanks all!