VPN users having issues connecting on Wifi but able to connect on hotspot

KLAW

This issue appears similar to the post referenced below, though the only suggested idea there was IPv6 but not a lot of details. We’ve opened a ticket with WG, and they suspect it’s an ISP-related problem due to not being able to ping our public facing IP. Telnet fails which makes me think port 443 is blocked. I’d appreciate any insights you might have. Currently, this is affecting four users across different ISPs—one on a MacBook, the others on Windows devices.

https://community.watchguard.com/watchguard-community/discussion/3926/some-clients-cannot-connect-to-ssl-vpn-depending-on-their-isp-connection

KLAW

james.carson

Hi @KLAW

If the place you are connecting from is doing any kind of content inspection, it will usually break the SSLVPN. It may help to ask the IT staff at that site if possible, as they'll be able to provide more information about what they're doing, and what they allow.

If you're unable to work with whomever manages that site to allow that traffic, I'd suggest trying a different VPN type like IKEv2.

KLAW

The user is using Spectrum at her home. This will be the 5th user now that has the issue. Some of the others magically were able to connect after 1 week. Basically stopped on a Monday and started working on the next Monday. WG says its not them, so it must be the ISP. I cant even ping our server from the affected user's machines. This is a screenshot from the log.

james.carson

Hi @KLAW
If the distant end is doing something to block that type of connection, they'll either need to unblock it, or you'll need to connect a different way.

Considering that it is usually pretty difficult to track down whom is blocking things (I've been on plenty of calls with ISPs where they will claim they're doing nothing, get put on hold, and the problem will magically vanish, and they'll claim they didn't do anything) it may simply be easier to try one of the other VPN types.

eichenadmin

Is there any antivirus or other security/monitoring software products common to all these client computers that might behave as a proxy and jumping in the middle of the communication flow?

KLAW

Quick update, this turned out to be a strange one. I’ve been working on this with support tickets open to WG, and several engineers and techs reviewed the system and assured me the issue wasn’t on our end.

However, I just discovered that a user experiencing the problem was listed under "Blocked Sites" in FSM. It turns out there’s a setting that automatically blocks an IP for 24 hours if it attempts more than 10 connections within an hour.

Now that I’m aware of this, I can manually unblock affected users going forward. I’m just surprised none of the engineers noticed this or suggested I check that setting.

All good, thanks for the help!