WatchGuard M470 becomes inaccessible

mejdiferjani2024

Hello,

I hope you are doing well. I am experiencing a problem with the WatchGuard M470 firewall. Every day, at the same time, between 10:10 AM and 10:20 AM, I have a crash, and the WatchGuard M470 becomes inaccessible.

Here is an excerpt from the logs I collected:

2024-10-10 10:19:50 pxy 0x1a2c4d0-366392 connect failed Connection timed out 739: removed:50706 -> removed:443 [A txr] {B } | 807: removed:50706 -> removed:443 [!B c] {B}[P]
2024-10-10 10:19:50 https-proxy 0x1a2c4d0-366392 739: removed:50706 -> removed:443 [A txr] {B } | 807: 41.224.8.182:50706 -> removed:443 [!B fc] {B}[P]: failed to connect B channel
2024-10-10 10:20:09 iked (removed<->removed)Received IKE message with invalid length(0) in IsakmpHdr. Expecting -4.
2024-10-10 10:20:09 iked (removed<->removed)Received IKE message with invalid length(0) in IsakmpHdr. Expecting -4.
2024-10-10 10:20:09 iked (removed<->removed)Received IKE message with invalid length(0) in IsakmpHdr. Expecting 40.
2024-10-10 10:20:14 iked (removed<->removed)Received IKE message with invalid length(0) in IsakmpHdr. Expecting 14.
2024-10-10 10:20:19 iked (removed<->removed)Received IKE message with invalid length(1677721616) in IsakmpHdr. Expecting 30.
2024-10-10 10:20:20 wrapper nginx: 2024/10/10 10:20:20 [error] 3102#0: *28392 directory index of "/usr/share/web/pac/" is forbidden, client: removed, server:
2024-10-10 10:20:20 wrapper nginx: 2024/10/10 10:20:20 [crit] 3102#0: *28397 SSL_do_handshake() failed (SSL: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low) while SSL handshaking, client: removed, server: 0.0.0.0:8090
2024-10-10 10:20:22 http-proxy 0x1a66c70-367918 unable to parse request start-line line='\x16\x03\x01\x01\x0d\x01\x00\x01\x09\x03\x03q\xbe\x0e\x1fqsN\x92\xbc\x00\xe1[\xdf\xdf?Ww\x1b\xa8\xa2\xde\xc1[\xe6\xdcaQ\x81\x15\xc1\x8d\xd0\x00\x00n\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0\x0a'
2024-10-10 10:20:24 http-proxy 0x104a990-256759 unable to parse request start-line line='\x16\x03\x01\x01\x0d\x01\x00\x01\x09\x03\x03\x91\xc0\x12|\x91\x94m\x9d\xb3\xad\x9b@\x91\xfd\xa4\xa2mg\xb8\x0b\xedz\x10\xba\xfb\xc02'\xdd\x11;s\x00\x00n\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0\x0a'
2024-10-10 10:21:46 http-proxy 0x15378b0-256991 unable to parse request start-line line='\x16\x03\x01\x01\x0d\x01\x00\x01\x09\x03\x03\x05\xb8\xef\x82\x0c\xc6/\x9f\x1e?\x1c\x81\xe8\xff\x91\xdc\x8a\x1b\xef\xee\xc4\x15C\x9ewo\xe2\x8e\x9d\x8f\xa6\x8c\x00\x00n\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0\x0a'
2024-10-10 10:22:03 admd wgadmCheckUserExisting(): cfgapi_getstr failed
2024-10-10 10:22:03 admd wgadmGetUserInfoFromXML(): Could not find username coder in xml content
2024-10-10 10:22:03 wgcgi SSL VPN user removed@removed from removed was rejected - Unspecified.
2024-10-10 10:22:03 wgcgi User not authenticated
2024-10-10 10:22:05 wgcgi SSL VPN user removed@removed from removed was rejected - invalid credentials.
2024-10-10 10:22:05 wgcgi User not authenticated

Could you assist me in resolving this issue?

Thank you in advance for your help.

Best regards,

** removed IP addresses and user names - JC

james.carson

Hi @mejdiferjani2024
It looks like something inside your network is trying to start an IPSec tunnel, and then SSLVPN connections using different domains. The IPSec traffic does not look fully/correctly formed -- is it possible someone on the inside of your network is trying to run a pen test?

I'd suggest opening a support case so we can get additional logs, and help with the issue. If you're not already running 12.10.4 update 2, I would also suggest upgrading to that version.