Mobile SSLVPN - One User connection keeps resetting

date_09:55:20.393 Reconnecting, reset the wait for connection timer
date_09:55:20.394 OVPN:>STATE:1644915320,RECONNECTING,connection-reset,,,,,

date_09:55:20.395 OVPN:>HOLD:Waiting for hold release:5

date_09:55:20.457 OVPN:>LOG:1644915320,D,MANAGEMENT: CMD ''

date_09:55:20.458 OVPN:>LOG:1644915320,D,MANAGEMENT: CMD 'hold release'

date_09:55:20.458 OVPN:SUCCESS: hold release succeeded

date_09:55:20.459 OVPN:>LOG:1644915320,,Re-using SSL/TLS context

date_09:55:20.460 OVPN:>LOG:1644915320,D,PID packet_id_init seq_backtrack=64 time_backtrack=15

date_09:55:20.461 OVPN:>LOG:1644915320,D,PID packet_id_init seq_backtrack=64 time_backtrack=15

date_09:55:20.462 OVPN:>LOG:1644915320,D,PID packet_id_init seq_backtrack=64 time_backtrack=15

date_09:55:20.463 OVPN:>LOG:1644915320,D,PID packet_id_init seq_backtrack=64 time_backtrack=15

date_09:55:20.465 OVPN:>LOG:1644915320,,Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]

date_09:55:20.467 OVPN:>LOG:1644915320,D,MTU DYNAMIC mtu=1450, flags=2, 1623 -> 1450

date_09:55:20.468 OVPN:>LOG:1644915320,D,RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=0

date_09:55:20.469 OVPN:>LOG:1644915320,,Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]

date_09:55:20.470 OVPN:>LOG:1644915320,D,crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes

date_09:55:20.471 OVPN:>LOG:1644915320,D,calc_options_string_link_mtu: link-mtu 1623 -> 1559

date_09:55:20.472 OVPN:>LOG:1644915320,D,crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes

date_09:55:20.473 OVPN:>LOG:1644915320,D,calc_options_string_link_mtu: link-mtu 1623 -> 1559

date_09:55:20.474 OVPN:>LOG:1644915320,,Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

date_09:55:20.476 OVPN:>LOG:1644915320,,Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

date_09:55:20.477 OVPN:>LOG:1644915320,I,TCP/UDP: Preserving recently used remote address: [AF_INET]public_ip_address:443

date_09:55:20.479 OVPN:>LOG:1644915320,,Socket Buffers: R=[65536->65536] S=[65536->65536]

date_09:55:20.480 OVPN:>LOG:1644915320,I,Attempting to establish TCP connection with [AF_INET]public_ip_address:443 [nonblock]

date_09:55:20.481 OVPN:>LOG:1644915320,,MANAGEMENT: >STATE:1644915320,TCP_CONNECT,,,,,,

date_09:55:20.482 OVPN:>STATE:1644915320,TCP_CONNECT,,,,,,

date_09:55:21.412 OVPN:>LOG:1644915321,I,TCP connection established with [AF_INET]public_ip_address:443

date_09:55:21.413 OVPN:>LOG:1644915321,I,TCP_CLIENT link local: (not bound)

date_09:55:21.414 OVPN:>LOG:1644915321,I,TCP_CLIENT link remote: [AF_INET]public_ip_address:443

date_09:55:21.416 OVPN:>LOG:1644915321,D,TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]

date_09:55:21.416 OVPN:>LOG:1644915321,D,SENT PING

date_09:55:21.417 OVPN:>LOG:1644915321,,MANAGEMENT: >STATE:1644915321,WAIT,,,,,,

date_09:55:21.418 OVPN:>STATE:1644915321,WAIT,,,,,,

date_09:55:21.419 OVPN:>LOG:1644915321,D,TCP_CLIENT WRITE [14] to [AF_INET]public_ip_address:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

date_09:55:21.420 OVPN:>LOG:1644915321,N,Connection reset, restarting [0]

date_09:55:21.421 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.421 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.422 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.423 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.424 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.424 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.425 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.426 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.427 OVPN:>LOG:1644915321,,TCP/UDP: Closing socket

date_09:55:21.428 OVPN:>LOG:1644915321,D,PID packet_id_free

date_09:55:21.429 OVPN:>LOG:1644915321,I,SIGUSR1[soft,connection-reset] received, process restarting

date_09:55:21.429 OVPN:>LOG:1644915321,,MANAGEMENT: >STATE:1644915321,RECONNECTING,connection-reset,,,,,

date_09:55:21.429 Reconnecting, reset the wait for connection timer
date_09:55:21.430 OVPN:>STATE:1644915321,RECONNECTING,connection-reset,,,,,

I do not get why the connection keeps resetting. It is only one user on some public network.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The VPN is saying that it's not getting data back on that port. If the public network is running a proxy or is attempting to block VPNs that may be the reason. Using a different port for the VPN may help, or potentially using a different VPN (like IKEv2, or L2TP) may be helpful.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    The VPN is saying that it's not getting data back on that port. If the public network is running a proxy or is attempting to block VPNs that may be the reason. Using a different port for the VPN may help, or potentially using a different VPN (like IKEv2, or L2TP) may be helpful.

    Well, where do you see that? Is it this?
    date_09:55:21.416 OVPN:>LOG:1644915321,D,TLS Warning:** no data channel send** key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @garythewatchguardguy
    Yes, that suggests that the client isn't getting a response when it tries to open the actual tunnel.

    The other traffic over port 443 is the client downloading the profile from the server (the firebox) and authenticating, which all happens over HTTPS. The tunnel itself is not HTTPS, but lives on port 443 (or whatever port you specify if you change it.) If the side the customer is trying to connect from is attempting to block that traffic or is proxying it for some reason, it'll likely not work.

    Your choices to work around this are going to be:
    -Try using a different VPN technology to see if that works from that location.
    -Try changing ports to something else (this will make the change for all users, however.)
    -Contact the site where the customer is trying to connect from and inquire as to what they're doing, and see if they'll make an exception to allow that traffic.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.