IKEv2 Clients Fail To Connect

We have a T-40 Firebox with FW: 12.7.B639066
IKEv2 Clients are unable to connect. From Traffic Monitor, I see the following entry:

2021-05-23 15:27:51 Deny xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx isakmp/udp 500 500 External Firebox Denied 572 123 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"

(Deny IP is WAN IP of Client).

Firewall Policy enabled to Allow IKEv2-Users
From IKEv2-Users (Any)
To Any

(User is setup in Authentication Server)

Any thoughts/suggestions would be appreciated. Please let me know if you need additional information
Thank you!


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Chip,

    Unhandled External means that the firewall isn't matching any policy for that traffic.

    Check to see if your default IKE rule is turned on.
    -In Policy Manager, go to VPN -> VPN Settings. Ensure "Enable built-in IPSec policy" is on.
    -In WebUI, go to VPN -> Global Settings, and ensure "Enable built-in IPSec policy" is turned on.

    If it's turned off on your firewall it's likely because you were passing IKE traffic to something else like a VPN concentrator.

    -James Carson
    WatchGuard Customer Support

  • Options

    Wow James... Excellent! "Enable built-in IPSec policy" was turned off. I would have never figured this out. Thank you sooo much for support and taking the time! Much appreciated!

Sign In to comment.