SSL VPN from Optional Network

Hoping this is an easy answer.
We have setup a Guest Wi-Fi network on an Optional Interface to be used by external users and sometime some contractors.

Sometime we need them to connect to the vpn from inside the firewall (on the optional network) but for some reason its not working.

I have added the optional network(both Any-Optional and specifically the optional) to the Watchguard SSL VPN policy but the ssl client just times out.

I was sure I had this setup that way before for a different client. and it worked

Am I missing something?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @TimPoulter
    So long as the "WatchGuard SSLVPN" policy includes your optional network in the From field (with To being "firebox") that should allow access.

    If you are using a FQDN to access the VPN, I'd suggest checking that it resolves from inside that network, and take a look at the logs to determine where it's stopping.

    -James Carson
    WatchGuard Customer Support

  • Assuming that the Optional Interface is set to Interface Type = Optional, then this should work.

    What do you see in Traffic Monitor when this access is tried?

  • @james.carson
    that is what I though. I have the any-optional and the actual interface name in the from field
    I looked at the FQDN as well and it seems to be hanging up there as the client keeps giving the error Failed to get domain name and FAILED:Cannot perform http request

    But if not trying to connect I can ping the FQDN or IP of the vpn interface just fine

    @Bruce_Briggs
    correct the type is set to Optional
    Nothing shows up in TM when the connection is attempted

  • You can turn on Logging on your WatchGuard SSLVPN policy for debugging.
    Hopefully it will show something to help.

    Try connecting to an IP addr instead of a FQDN.
    I can successfully connect from behind the firewall to the internal firewall interface IP addr or to the external interface IP addr as well as to my external IP addr FQDN.

    For the record, what Fireware version are you running?
    What SSLVPN version are you running?
    Is there a different SSL client such as OpenVPN also installed on that PC?

  • @Bruce_Briggs
    Same result with IP
    Watchguard SSLVPN policy logging shows nothing as it is not even making the connection.

    Firewall - 12.9.1
    SSLVPN - 12.7.2
    not other ssl client

    as odd as it is, in my lab it works as I expect as well
    the only 2 different things between my lab and the customer is
    1 - customer has multiple ips, so primary and multiple secondary set on the external interface
    the SSLVPN setup has one of the secondary IPs set as the primary ip for the vp n connection
    2 - the WatchGuard SSLVPN policy is further down the list vs my lab

    Not a big rush to fix as we did something different for this customer, but more was curious as to why it was not working

  • No traffic suggests something is blocking the SSLVPN packets on the local PC.
    A packet capture might show something to help - should you care to investigate further.
    You can do one on the firewall using TCP Dump or on the PC using Wireshark.

    Run Diagnostic Tasks
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

Sign In to comment.