Options

Mobile SSL VPN Waiting and never connects. OpenVPN works.

JuniorJunior
in Firebox - VPN Mobile User

Guys,
Testing Mobile SSL VPN setup on a firebox in my test lab and it's just not happening. Tried several of the suggestion from this forum and just can't get the thing working.

Sinario is:
1. Behind a NAT SKY domestic router. Lan 192.168.1.0/24 (Gateway 192.168.1.254)
2. Port forwarding to a Firebox External Port IP: 192.168.1.x (Firbox sits outhere on its own)
3. My Lan sits behind another Firebox on external Port 192.168.1.xx

From my LAN, with policies configured on the Firebox fronting my LAN, I can hit the test box on 192.168.1.x and interegate it fully i.e. WSM and Web UI works perfectly. Can hit the HTTPS SSLVPN host page, download SSL clients and ovpn config file no worries.

Configured the SSL VPN on the test box using another TCP port other than 443.
Installed the WG Mobile SSL VPN client:
Can connect perfectly from a laptop on the 192.168.1.0/24 subnet
Can connect perfectly from a PC on my LAN subnet behind the second Firebox.
Can connect using OpenVPN from the internet successfully.
The WG Mobile SSL VPN client wil not connect from the internet no matter what.

I've tried several versions of the WG SSL VPN client, including the downloaded fron the test box and it's just not happening.
Can see in the monitor it authenticates the test use, but never completes the connection: Just sits there 'Waiting for a connection'.

Any help would be much appreciated. What am I missing?

J

Best Answers

  • Options
    JuniorJunior
    Answer ✓

    Hey man, cracked it!!!
    Made one change to my VPN configuration and Boom/voilà/Eureka. It worked!

    FIX:
    Put DDNS in Primary IP and Port 0 IP in Secondary.

    Basically I'm saying to the box, got out to the internet and see who you are and if you still don't know, ask the guy hanging off Port 0.

    Tried the configuration in reverse i.e. Port 0 IP as primary and DDNS as secondary; it fails, behaving the same as before.

    Flipped back around, DDNS as primary and Port 0 as the secondary, and we're back in business and good to go. B)

    Hope this helps someone else down from that Watchguard Mobile SSL VPN ledge they are about to jump. :'(

    Take care, and thanks again.
    J out.

  • Options
    JuniorJunior
    Answer ✓

    Just tried the above fix on another WG Firebox with the same Mobile SSL VPN issue. Problem solved. Fix is good.

    It must be applied as outlined.

    All the best.
    J out.

Answers

  • Options
    Bruce_BriggsBruce_Briggs
    There are SSLVPN client logs which may give a clue.
    Also in you firewall config you can set diagnostic logging for SSL VPN to Information.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/set_diagnostic_log_level_c.html
  • Options
    JuniorJunior

    First, let me thank you for replying. Big thank you sir!!!
    Switched on debug logging and noticed the below. It's clearly not completing its connection, and not getting a virtual IP.

    2023-10-14 22:24:42 sslvpn Mobile VPN with SSL user tech logged in. Virtual IP address is 0.0.0.0. Real IP address is x.x.x.x. id="2500-0000" Debug

    Need to understand why this is only when accessed from the internet.

  • Options
    JuniorJunior

    Since the problem exist only when accessing from the internet indicates the issue is likely with the traffic traveling through the SKY NAT router.

    Engaged DMZ to External Port 0, but still no joy. Any thoughts?

  • Options
    Bruce_BriggsBruce_Briggs
    Review this:

    https://community.watchguard.com/watchguard-community/discussion/2123/sslvpn-virtual-ip-0-0-0-0
  • Options
    JuniorJunior
    edited October 2023

    Reviewed and applied the instruction in the provided link.
    No HTTPS proxy configured in policies. Run the policies lite at the moment until I get this thing to connect.

    1. Removed the adaptors from remote testing machine on the internet.
    2. Remover OpenVpn and its adaptor.
    3. Removed Mobile SSL VPN and its adaptor. (no virtual adaptors remained)
    4. Restarted remote internet PC.
    5. Accessed the Lab Firebox's SSLVPN portal page from remote test PC on internet.
    6. Downloaded SSLVPN Client and OVPN file.
    7. Reinstalled SSLVPN client (only one adaptor available in device manager on the internet test PC; latest driver version installed)
    8. Launched SSLVPN client, same issue --- no virtual IP assigned - Client waiting to connect.
    9. Re-install OpenVPN client --- Connected immediately with not issues.

    Why is the thing not assigning virtual IPs?

    MONITOR LOG:
    2023-10-15 21:48:05 Allow x.x.x.x 192.168.1.3 4137/tcp 49487 6443 0-
    Wan Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 2333174727 win 65100" Traffic
    2023-10-15 21:48:07 Allow x.x.x.x 192.168.1.3 4137/tcp 44544 6443 0-Wan Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 998295000 win 65100" Traffic
    2023-10-15 21:48:08 Allow x.x.x.x 192.168.1.3 4137/tcp 49489 6443 0-Wan Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 4098057629 win 65100" Traffic
    2023-10-15 21:48:10 sslvpn Mobile VPN with SSL user xxx logged in. Virtual IP address is 0.0.0.0. Real IP address is x.x.x.x. id="2500-0000" Debug
    2023-10-15 21:48:10 Allow x.x.x.x 192.168.1.3 4137/tcp 49490 6443 0-Wan Firebox Allowed 44 64 (WatchGuard SSLVPN-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_port_nat="4137" tcp_info="offset 6 S 3116544998 win 65100" Traffic

    Thank you for your time sir.

  • Options
    Bruce_BriggsBruce_Briggs
    No more ideas.
    Open a support case on this to get WG help in sorting this out
  • Options
    JuniorJunior

    Thanks for considering me. You take care.

Sign In to comment.