Options

Can't Access Gmail Behind Watchguard

TechNerdTechNerd
in Firebox - Other

Hello,

I'm encountering an issue in which my user cannot access his gmail account from the office-- where he is behind a Watchguard firewall. Firebox T40. Version 12.10.2.B692269

He is getting a certificate issue that reads, "Mail can't verify the identity of the server 'imap.gmail.com' ".

The only deny logs I see around the time he's trying to access his email are:
2024-03-25 17:21:18Deny10.0.1.25318.213.11.84https/tcp58661443InternalFireboxtcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).4064(Internal Policy)proc_id="firewall"rc="101"msg_id="3000-0148"tcp_info="offset 5 R 1280583035 win 0"

I wonder if this is causing the handshake to fail and thus not authenticate with the server...

Any and all recomendations on how to approach this issue are welcome.

Thanks

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @TechNerd

    Please try to view the certificate -- that will probably give you more information about what's going on.

    -If the certificate says 'proxy authority' or has your firebox's serial number in it, the user may need to import the proxy authority certificate from the firewall. You'll see this type of error if the firewall has content inspection enabled but does not have the proxy cert loaded onto that machine.

    -If the certificate states an error in the subject, this may be the firewall alerting that there is an issue with the upstream connection. The text in the subject will usually give you more info.

    -If there is another device in front of or behind the firebox inspecting traffic, this may also cause an issue - check the documentation for that product for what to do.

    If you need to import the certificate from the firewall, see here:

    (Import a Certificate on a Client Device)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/import_client_cert.html

    It's worth noting that IMAP doesn't generally transport over port 443/tcp, so the log line may be related to something else.

    -James Carson
    WatchGuard Customer Support

  • Options
    Bruce_BriggsBruce_Briggs

    18.213.11.84 is an amazonaws.com IP addr, so it is not likely to be a Gmail IP addr...

Sign In to comment.