SSL VPN Authentification Failed: Invalid credentials
Hello,
Since this morning I have had the problem that I can no longer connect via SSL VPN. I always get the following message: "SSLVPN authentication failed) Could not download the configuration from the server..."
If I try to connect directly to the Watchguard via:
IPAddress:4443/sslvpn.html the message appears:
"Authentication Failed: Invalid Credentilas"
I have already restarted the firewall and I have also activated and deactivated the Mobile VPN / SSL service. No change.
Yesterday everything worked perfectly and we did not change any configuration.
What could I do?
Thanks in advance
0
This discussion has been closed.
Comments
For your information:
The users are part of the Firebox DB.
You can turn on diagnostic logging for SSLVPN and/or for authentication which may show something to help:
. WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
Set the slider to Information or higher
. Web UI: System -> Diagnostic Log -> VPN -> SSL.
Click the down arrow and select Information
. Policy Manager: Setup -> Logging -> Diagnostic Log Level -> Authentication
Set the slider to Information or higher
. Web UI: System -> Diagnostic Log -> Authentication
Note that user ID & password are case sensitive.
Twice over two weeks a user has had the same problem.
After the first time, the password was reset.
Now after the second time, the user has been switched to using AD authentication instead.
This is on a new M390 with Fireware v12.10.2.
On M370 with v12.10.1, this never happened.
In addition, occasionally when losing internet connection and the SSL VPN client need to reconnect, sometimes a message about invalid credentials show up, but connection works ok after retrying.
To me, this suggests that something is not right with the fireware release.
Hi @nekoneko
I'd suggest checking your AD authentication logs. If your authentication server is set to AD, the password is passed to that server for verification.
The firewall's SSLVPN authenticates to AD via a simple bind - most Windows AD security policies won't allow password changes via simple bind.
-James Carson
WatchGuard Customer Support
Edit: I didn't see this originally, but at the second occasion it seems the user had been locked out.
UserID & password are case sensitive.
What is the authentication server type selected for your SSLVPN users?
Perhaps this?
The User name format depends on which authentication server the user authenticates to:
For example, the User name must be formatted in one of these ways:
To use the default authentication server
Type the user name. Example: j_smith
To use another authentication server
Type the authentication server name or domain name, and then type a backlash () followed by the user name.
Active Directory — ad1_example.com\j_smith
Firebox-DB — Firebox-DB\j_smith
AuthPoint (Fireware v12.7 or higher) — authpoint\jsmith
RADIUS (Fireware v12.5 or higher) — rad1.example.com\j_smith or RADIUS\j_smith. You must type the domain name specified in the RADIUS settings on Firebox.
RADIUS (Fireware v12.4.1 or lower) — RADIUS\j_smith. You must always type RADIUS.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html
Thank you for your support. I have fixed my problem.