timeout 12002, Mobile VPN
I'm on Current Version: 12.11 (Build 706602). But since then when I try to use mobile VPN, I get this. VPN was working before upgrading the Watchguard OS.
2025-02-27T18:57:11.681 OVPN:>STATE:1740700631,TCP_CONNECT,,,,,,
2025-02-27T18:59:12.373 Launching WatchGuard Mobile VPN with SSL client. Version 12.11.0 (Build 706323) Built:Oct 29 2024 22:01:20
2025-02-27T19:00:53.853 Requesting client configuration from SERVER:443
2025-02-27T19:01:05.874 FAILED:2025-02-27T19:01:17.959 FAILED:Cannot perform http request, timeout 12002
2025-02-27T19:01:17.961 failed to get domain name
2025-02-27T19:01:29.981 FAILED:Cannot perform http request, timeout 12002
2025-02-27T19:01:29.982 sslvpn logon failed
2025-02-27T19:01:42.025 FAILED:Cannot perform http request, timeout 12002
2025-02-27T19:01:42.026 failed to request configuration file
I looked on here, and see that starting "In Fireware v12.11 and higher, the Mobile VPN with SSL client download page is removed from the Firebox. To download the Mobile VPN with SSL client, go to the Software Downloads page and select your Firebox model."
I downloaded the latest SSL vpn client from there, but keep getting this. I'm using the default port 443. I have TLS 1.2 checked.
Comments
Do you have another inbound policy using 443 such as a webserver NAT etc that is conflicting? if so its likely you need to configure SSL VPN to use a different port, example TCP 444 and then connect to x.x.x.x:444 in the client
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_tshoot_c.html
Yes, I do have another inbound on port 443, the one for "10.0.0.177". I removed port 443 for that, and now I'm able to VPN as before.
So if have to re-add port 443 for "10.0.0.177", I have to change the port from 443 to for example 444 for SSL VPN, correct? I prefer to keep this 443.
Instead of allowing only ports 80,443 for "10.0.0.177", if I change that to 'any', would that resolve the VPN issue?
No.
To have SSLVPN on port 443 & an internal web server on port 443, you need 2 public IP addrs.
I do have 2 different public IP address. For example, the "10.0.0.177" is on the company public IP 200.100.100.20. And I have the VPN on 200.100.100.22
Make sure that the SSLVPN client is accessing .100.22
It is, that's the server IP I'm entering on the WG Mobile VPN client.
So what's my option if I don't want to change the port from 443 to another for VPN? And still keep the 443 open for "10.0.0.177"
Seems like something else is using .100.22 too
What do you get when a web browser accesses .100.22 via HTTPS?
Check with your ISP to see if they have this IP addr associated with you.
Could be a problem with them.
Thank you. I'm able to VPN now, without making any changes. But I'll still follow up with ISP.
Update....
I have 2 computers, and each have 2 different vpn client versions.
This is the latest version I have on one of the computer, and I'm not able to VPN using this version.
My other computer has an older version, and I'm able to vpn.
I know the older version, you can download the VPN client directly from WG locally, but the newer version you can only download it from WG website software downloads.
The download of the SSLVPN client from the firewall is no longer available starting with V12.11
. This release removes the Mobile VPN with SSL Client download page from the Firebox. [FBX-27548]
You need to use the software downloads site now.
And, I'm not seeing SSLVPN client V12.10.4 available there any more. Not the nicest availability for older software releases....
No idea as to your issue with the V12.11 client - assuming that you are connecting to a V12.11 or higher firewall.
The V12.11 client works with my firewall running v12.11.1.
Perhaps Diagnostic Logging for VPN -> SSLVPN set to debug will show something.
If I go to https://software.watchguard.com/SoftwareDownloads?current=true&familyId=a2RVr000000bJA9MAM (the SSL VPN downloads page), and then click on the Previous Software link, it shows the 12.10.4 release for Windows (ie. https://software.watchguard.com/SoftwareDownloads?familyId=a2RVr000000bJA9MAM)
You are correct.
Somehow I missed this.