SSL VPN Authentification Failed: Invalid credentials

Hello,

Since this morning I have had the problem that I can no longer connect via SSL VPN. I always get the following message: "SSLVPN authentication failed) Could not download the configuration from the server..."
If I try to connect directly to the Watchguard via:
IPAddress:4443/sslvpn.html the message appears:
"Authentication Failed: Invalid Credentilas"
I have already restarted the firewall and I have also activated and deactivated the Mobile VPN / SSL service. No change.

Yesterday everything worked perfectly and we did not change any configuration.

What could I do?

Thanks in advance

Comments

  • For your information:
    The users are part of the Firebox DB.

  • You can turn on diagnostic logging for SSLVPN and/or for authentication which may show something to help:

    . WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    Set the slider to Information or higher
    . Web UI: System -> Diagnostic Log -> VPN -> SSL.
    Click the down arrow and select Information

    . Policy Manager: Setup -> Logging -> Diagnostic Log Level -> Authentication
    Set the slider to Information or higher
    . Web UI: System -> Diagnostic Log -> Authentication

    Note that user ID & password are case sensitive.

  • edited March 4

    Twice over two weeks a user has had the same problem.
    After the first time, the password was reset.
    Now after the second time, the user has been switched to using AD authentication instead.

    This is on a new M390 with Fireware v12.10.2.

    On M370 with v12.10.1, this never happened.

    In addition, occasionally when losing internet connection and the SSL VPN client need to reconnect, sometimes a message about invalid credentials show up, but connection works ok after retrying.

    To me, this suggests that something is not right with the fireware release.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @nekoneko
    I'd suggest checking your AD authentication logs. If your authentication server is set to AD, the password is passed to that server for verification.

    The firewall's SSLVPN authenticates to AD via a simple bind - most Windows AD security policies won't allow password changes via simple bind.

    -James Carson
    WatchGuard Customer Support

  • edited March 6

    @james.carson said:
    Hi @nekoneko
    I'd suggest checking your AD authentication logs. If your authentication server is set to AD, the password is passed to that server for verification.

    The firewall's SSLVPN authenticates to AD via a simple bind - most Windows AD security policies won't allow password changes via simple bind.

    Edit: I didn't see this originally, but at the second occasion it seems the user had been locked out.

  • UserID & password are case sensitive.

    What is the authentication server type selected for your SSLVPN users?

    Perhaps this?

    The User name format depends on which authentication server the user authenticates to:

    If the Firebox configuration includes multiple authentication servers, and you want to authenticate to an authentication server that is not the default authentication server, you must specify the authentication server in the User name text box.
    If the Firebox configuration includes multiple authentication servers, and you want to authenticate to the default authentication server, you do not need to specify the authentication server in the User name text box.
    

    For example, the User name must be formatted in one of these ways:

    To use the default authentication server

    Type the user name. Example: j_smith

    To use another authentication server

    Type the authentication server name or domain name, and then type a backlash () followed by the user name.

    Active Directory — ad1_example.com\j_smith

    Firebox-DB — Firebox-DB\j_smith

    AuthPoint (Fireware v12.7 or higher) — authpoint\jsmith

    RADIUS (Fireware v12.5 or higher) — rad1.example.com\j_smith or RADIUS\j_smith. You must type the domain name specified in the RADIUS settings on Firebox.

    RADIUS (Fireware v12.4.1 or lower) — RADIUS\j_smith. You must always type RADIUS.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html

  • @Bruce_Briggs said:
    UserID & password are case sensitive.

    What is the authentication server type selected for your SSLVPN users?

    Perhaps this?

    The User name format depends on which authentication server the user authenticates to:

    If the Firebox configuration includes multiple authentication servers, and you want to authenticate to an authentication server that is not the default authentication server, you must specify the authentication server in the User name text box.
    If the Firebox configuration includes multiple authentication servers, and you want to authenticate to the default authentication server, you do not need to specify the authentication server in the User name text box.
    

    For example, the User name must be formatted in one of these ways:

    To use the default authentication server

    Type the user name. Example: j_smith

    To use another authentication server

    Type the authentication server name or domain name, and then type a backlash () followed by the user name.

    Active Directory — ad1_example.com\j_smith

    Firebox-DB — Firebox-DB\j_smith

    AuthPoint (Fireware v12.7 or higher) — authpoint\jsmith

    RADIUS (Fireware v12.5 or higher) — rad1.example.com\j_smith or RADIUS\j_smith. You must type the domain name specified in the RADIUS settings on Firebox.

    RADIUS (Fireware v12.4.1 or lower) — RADIUS\j_smith. You must always type RADIUS.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.htmltunnel rush

    Thank you for your support. I have fixed my problem.

This discussion has been closed.