SSL VPN connected, can't ping gateway

Firebox T30 v.12.5.2

I've configured numerous firewalls for SSL VPN, this one in particular is giving me grief. Scaled back to the simplest setting of just giving access to trusted interfaces, and tried specifying routes as well. Users can log in no problem. Routes show up fine, but can't ping either the virtual IP gateway, or the firebox gateway. ICMP and DNS requests are showing denied "IP Spoofing Sites" (Internal Policy). I gather that's my issue somewhere deep, but TCP dump isn't showing anything outside the norm. Compared apples to apples with another firewall policy, and i can't see what's different with this one.

Comments

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @Stewy

    We'll see IP spoofing if the firewall thinks traffic is arriving on the wrong network.

    Was the SSLVPN's subnet set up as the same IP space as something else? For example, if you have 10.0.1.0/24 as your main trusted network, you can't set the SSLVPN to also be 10.0.1.0/24 in routed mode. (You can make a bridge interface, and put both on there, however.)

    Check through your interfaces and other VPNs, ensure that you don't have that subnet specified elsewhere. If all else fails, change the SSLVPN subnet to something that you know you won't have anywhere else.

    -James Carson
    WatchGuard Customer Support

  • You can edit a saved config .xml file and search for your SSLVPN subnet, such as 192.168.222.
    That should give you a clue as to where to look for the duplicate use of that subnet.

  • Yes, that was the case. The SSL pool was 192*, then i was changing it to 10* during some troubleshooting. Putting it back to 192* got everything working again, but have no clue what was wrong with that original pool in the first place. I'll take it as a win though.

    Thanks!

Sign In to comment.