Some clients cannot connect to SSL VPN depending on their ISP connection
Nothing hardware related has changed in regards to the computers and network equipment we use, but devices have stopped connecting to the SSL VPN. This was previously working for a long time and broke seemingly randomly last week.
Windows 11 Laptops are issued to employees along with a Netgear MR1100 4G LTE Hotspot Router. These laptops can no longer connect to the SSL VPN by way of the Netgear hotspot. This is true across multiple hotspots and multiple devices.
Interestingly, though, those very same laptops can connect to the SSL VPN through (seemingly) any other ISP connection. We can successfully connect via the neighbor's internet connection (standard coaxial ISP modem + router) and via two cell phone hotspot connections. Of note, the cell phones are on the same carrier as the Netgear hotspots, but not on the same account.
Problem: Cannot connect to SSL VPN through Netgear MR1100 4G LTE hotspots.
Ways that they can connect:
1. Neighbor's internet connection
2. A cell phone hotspot
Notes:
1. Tested on 2 separate cell phone hotspots and 2 separate Netgear hotspots on 2 separate laptops. Same issue on both - the laptops cannot connect to the SSL VPN through the Netgear hotspot but can through any other connection we've tried
2. These same laptops and hotspots were working just fine for at least 6 months before last week
3. The Netgear hotspots and the cell phones are on the same carrier but different accounts
4. Other computers (like my work computer and home computer) have no problem connecting
5. When the laptops cannot connect to the VPN through the hotspot, they also cannot reach the SSL VPN download page hosted on the router. When they can connect through another connection, they can reach the page
6. At all times, even on the offending hotspots, the devices can successfully ping the router's WAN IP
6. I've tried disabling the Windows firewall and AV on the affected laptops, no change in behavior
7. There are no other third party firewalls on the laptops to affect this
8. The carrier has been largely unhelpful in assisting, blaming the router
9. I can see successful login attempts in the Traffic Monitor from these two laptops when they're on an internet connection that works, but I do not see any failed login attempts when they're on the offending hotspots. I can see failed login attempts from, for example, my work computer when I intentionally login with invalid credentials but not when I do the same on the laptop from the offending hotspots
Am I missing something obvious here?
Comments
Hi @upcc
Have you checked with the wireless carrier that's providing service to those 4G Netgear devices? That seems like the common denominator here.
WatchGuard's SSLVPN is based on OpenVPN. If they're doing any kind of content inspection, or attempting to deny/throttle VPN connections, that may be your issue.
Check the 4G device(s) and see if they're getting an IPv4 address. SSLVPN is currently IPv4 only. Clients will not be able to connect if they only have IPv6 addresses.
If there's any settings on the Netgear devices that say something like "Allow VPN pass-thru" you may need to enable that option. Wireless carriers are often responsible for updating the firmware on connected 3G/4G/5G devices, so there may have been an update that added a feature like this without you knowing.
-James Carson
WatchGuard Customer Support
Hey @james.carson
Is there any news on when WG will support IPv6 fully, as more and more networks are preferring IPv6?
Hi @Adam_Witwicki
There is an open request related to the SSLVPN supporting IPv6 is FBX-8767. This is currently slated for sometime in 2025. Work is being done to add IPv6 support to many features of the firewall, and many support IPv6 already.
See:
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/networksetup/ipv6_supported_features.html
-James Carson
WatchGuard Customer Support