Mobile VPN with SSL - Refuse to Connect

I have two Firebox devices that are configured more or less identically for the Mobile VPN with SSL feature. On one of the Fireboxes (XTM 330), I have no issue connecting via the VPN, while on the other one (XTM26-W) I cannot connect. In particular, when I try to access the web portal (https:///sslvpn.html) I receive an error page saying that the connection was refused. I went through the authentication settings as well as the firewall policy settings and they appear to be identical on both devices. Both devices are running OS version 12.1.3. At this point, I'm honestly stumped and would appreciate any help I could get.

«1

Comments

  • Anything to help understand this in Traffic Monitor ?

    You could unselect SSLVPN, save that and re-enable it and see if that helps.

    Can you access https://Firebox interface IP address/sslvpn.html ?

  • You can turn on diagnostic logging for SSLVPN which may show something to help in Traffic Monitor:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • I've tried unchecking the Activate Mobile VPN with SSL box, saving then re-enabling it and saving again but it did not work. I get a bunch of these deny messages in the traffic monitor when I try to connect to the VPN. It's hard to make sense of it, but it seems like it may be related to firewall policies. It's strange though because I have the same policies on both devices.

    2021-06-18 11:58:39 Deny x.x.x.86 x.x.x.166 50528/tcp 47969 50528 0-Optimum Firebox Denied 40 241 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 747946849 win 1024"

  • The denied packet is for TCP port 50528, which is not likely a SSLVPN connection attempt.
    All packets will be denied unless there is a policy allowing them, and you don't have a policy allowing TCP port 50528 from the Internet.

    Can this SSLVPN client connect to the other firewall ?

  • Yes, I can connect to my other firewall without issue. I believe the firewall policies are added automatically when the Activate Mobile VPN with SSL box is activated, so that shouldn't require any tweaking. I also made sure that my user account was added to the SSLVPN-Users group. The only other thing I can think of is a reboot, but I think I tried that a while ago and it didn't work.

  • And my other suggestions - have you tried them?

  • I went to Diagnostic Log and made sure VPN SSL was set to error. I've been parsing the Traffic Monitor page to see if there's anything related to the VPN after I try connecting, but can't seem to find anything.

  • You can also look at the SSLVPN client log.
    Right click on the icon in the Windows System Tray.

    Also verify that you have TCP 443 for the connection port on the Advanced settings of the SSLVPN setup.

  • I see. This is the log message I get when I try to connect:

    2021-06-18T15:28:41.936 Requesting client configuration from x.x.x.166:443
    2021-06-18T15:28:44.107 FAILED:2021-06-18T15:28:54.980 FAILED:Cannot perform http request 12029
    2021-06-18T15:28:54.980 failed to get domain name

  • The Data Channel is set to TCP port 443 in the Mobile VPN with SSL -> Advanced tab

  • Look at your config, for the auto created WatchGuard SSLVPN policy.
    It should be enabled, From: Any-external To: Firebox, and the ports should be TCP 443.

    You can enable Logging on it to see packets allowed by it in Traffic Monitor

    You can search Traffic Monitor for the SSLVPN client IP addr to see all packets logged from it, using the Search function.

  • I configured the WatchGuard SSLVPN policy the way you said and enabled logging. I'm still not seeing anything in the traffic monitor. I did notice something peculiar though. The time in the traffic monitor is 4 minutes off from my computer's system time. I checked the NTP settings and it's configured the same as the one that's working.

  • Do you have a policy higher up than the WatchGuard SSLVPN policy which allows in from the Internet HTTPS packets?

    Re. NTP - I use 0.pool.ntp.org & 1.pool.ntp.org

    Are you using the Web UI or Firebox System Manager to look at Traffic Monitor info ?

    You can manually sync the time using FSM:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/sync_time_wsm.html

  • I'm using the Web UI and I have the same NTP servers configured as well. At this point, I'm going to wait until tomorrow when no one's in the office and try rebooting it. There seems to be no rhyme or reason why it's not working. I'll let you know if doing that resolves the issue. I really appreciate all your help!

  • edited June 18
  • No luck. I tried rebooting it twice. I think I’m going to try backing up the settings and factory reseting it. At this point, that seems like the only other thing to try.
  • Is there any possibility that your ISP is blocking incoming HTTPS?

    Can you access https://Firebox interface IP address/sslvpn.html ?
    If not, then check with your ISP.

  • Good thought. I'm not very familiar with what power ISP's having to block HTTPS connections, but it is a possibility. I'm going to reach out to them and see what I can find out. Thanks!

  • I spoke to our ISP and they said they don't block port 443. I'm thinking at this point it has to be a device level issue.

  • I keep asking - can you access https://Firebox external interface IP address/sslvpn.html from the Internet ?
    Please test this.

  • It's in the initial post. When I go to https://public-ip/sslvpn.html, I get an error saying that the site cannot be reached because it refused to connect. I tried accessing it from the Chrome browser as well as Microsoft Edge with the same result. The fact that it's refusing to connect leads me to believe that it's able to reach the device, but some setting on the device may be off. This is supported by the fact that the time is incorrect. I created a back up image of the device, so I might just have to try a factory reset and hope that that fixes the problem.

  • If you look at your initial post, it is missing public-ip between the slashes

  • Sorry if it wasn't clear. I didn't want to post the actual IP address so I typed and I guess it dropped it.

  • I did it again! But yes I used the actual public IP when trying to access it.

  • Are you testing both Fireboxes from a computer that is external to both of them?

    Assuming the testing computer is running Windows, did you run the SSLVPN installer using "Run as administrator"? If not, remove it, run it as administrator, then test it again. For me, every time that I do not run the install as admin, it fails to install the TAP adapter correctly and causes instant disconnects.

    Gregg Hill

  • Yes, I use a Windows 10 laptop with my phone’s hotspot. Same computer I can connect to one Firebox and not the other, so I don’t think it’s the software.
  • Cool. I just wanted to eliminate that as a potential issue.

    Gregg Hill

  • I appreciate it. At this point, all evidence points to an issue with the device itself. I’m going to try a factory reset as a last ditch effort and see if that works.
  • The fact that you "get an error saying that the site cannot be reached because it refused to connect" and that you see nothing in the traffic monitor makes me think that there is something else in line between between your test laptop and the 26W, like an ISP router that has port 443 answering.

    What do you see when you telnet from the outside laptop to the WAN IP of the 26W on port 443? Heck, what do you get from the 26W's LAN side if you try to reach the SSLVPN? Make sure that works first.

    I am reading this thread again after just waking up, so maybe you covered this already.

    Gregg Hill

  • I called my ISP and was told they don’t filter HTTPS traffic (for business customers at least). On my account dashboard, I have the ability to block port 80, 8080, and 25 traffic but not 443. The Firebox in question is connected via Ethernet to a modem which goes out to the ISP. There are no other on-site routers between the firebox and the ISP modem. The funny thing is I can’t connect to the SSLVPN from the firebox that is working from the internal LAN, and I can't figure out why. I configured the appropriate VPN firewall policies to allow from any-trusted but nothing works. I have to be outside of my network for either VPN to work. I’m not too concerned though because there's no point in connecting to the VPN from the internal LAN anyway. When I try connecting to the firebox in question from outside my LAN, I get an error log message saying it cannot find the domain name which seems to be an issue with it establishing an HTTPS connection.
Sign In to comment.