Mobile VPN with SSL users cannot access local resources

I have an out of service M300 firewall that I am trying to repurpose for a basic vpn box for a small business. The mobile SSL vpn authenticates using firebox DB user and I am able to access the firewall but I cannot access any other local resources even by IP address. I have added Any to the From and to in the sslvpn policy to just see if that would work and still doesn't. I can ping the firewall but not any other devices on the network. I have allowed access to all trusted, optional and custom networks. I set the virtual ip pool to I feel like it is a routing issue. looking at the status on the client the first route is gw= mask I have another working mobile vpn at a different client and the first route on that client pc is gw= mask = but I don't know how to change this. This is not working

This one does work at a different location.


  • For the record, what XTM version is on this Firebox?

    Does this Firebox have a Feature Key installed on it? If not, you need one for may things to work, including SSLVPN.

    What do you see in Traffic Monitor when this user tries to log on?

    Is the user a member of the SSLVPN user group?

  • Version 12.5.11 No it does not have a feature key, but I talked to watchguard support and they said a feature key is not required for sslvpn, only if you are using MFA like authpoint do you need a feature key. yes user is a member of the sslvpn group

  • edited January 15

    I doubt that SSLVPN will work without a Feature Key.
    And, last I knew, without a Feature Key, only 1 internal IP addr will be able to access the Internet.

    You need to open a support case with Customer Care to get this firewall assigned to you and to get a Feature Key.
    Include a photo of the firewall serial number on your support case.

  • another thing, I can ping the server from the firewall itself, just not with mobile ssl vpn client pc.

  • What do you see in Traffic Monitor when any access from a SSLVPN client is tried?

    You can turn on Logging on the "Allow SSLVPN-Users" policy to see packet allowed by this policy in Traffic Monitor.

  • When I ping the server it shows allow via trusted allowed and Allow SSLVPN-users-00 but I get request timed out, when I try to rdp it says allow as well but never connects.

  • edited January 15

    Check the firewall logs on the server.

    Does the server prevent access from the SSLVPN subnet?

    Does the server require the RDP connection to be from a Domain authenticated user?

  • Also windows firewall is shut off on server and no other firewall software is on the server

  • No, any local user on that server, but I don't even get to login on rdp, just times out

  • You can do packet captures on:
    1) the server - many use the free tool WireShark
    2) on the firewall , using TCP dump

    Run Diagnostic Tasks to Learn More About Log Messages

    with the Advanced options, you can specify to see all packets for specific IP addr etc.

  • Running wireshark on the server it looks like the pings are coming through but I get timouts on the client pc.

    traceroute goes to server ok, Ran a tcp dump from firewall to trusted internal interface don't really know what it is saying, just a bunch of arp requests. I mean it looks like it is getting there but can't access shared network drive to it. I don't know how to check this question although it does seem like some kind of routing problem, Does the server prevent access from the SSLVPN subnet?

  • when i try to map a drive I get this from wireshark on the server and a network error on the vpn client Server is

  • "timouts on the client pc" meaning the SSLVPN client?
    Any interesting firewall or similar software on the SSSLVPN client PC which may be dropping packets ?
    It looks to me that he pings are being returned from the firewall to the SSLVPN client PC - so that makes the client PC the possible problem cause.

    How are you trying to do the drive mapping?
    By IP addr or by short name (no domain name suffix) or by FQDN?
    If by short name, have you added your domain name in the SSLVPN setup -> Advanced tab -> Domain name field?

    You can test a SSLVPN connection from behind the firewall.
    Try this from a PC connected to Trusted, and see what happens.
    We still need to identify why you are seeing this issue.

Sign In to comment.