SSL VPN Stuck on TCP_CONNECT
Hi all,
Our customers internet went down today, so they rebooted the watchguard. Since then I can't VPN in Via the mobile connect client. It looks like it's going to connect and then says Connecting.. and just loops, logs below:
2024-08-09T17:36:09.380 OVPN:>LOG:1723221369,I,TCP connection established with [AF_INET]x.x.x.x:446
2024-08-09T17:36:09.381 OVPN:>LOG:1723221369,I,TCP_CLIENT link local: (not bound)
2024-08-09T17:36:09.386 OVPN:>LOG:1723221369,I,TCP_CLIENT link remote: [AF_INET]x.x.x.x:446
2024-08-09T17:36:09.388 OVPN:>LOG:1723221369,,MANAGEMENT: >STATE:1723221369,WAIT,,,,,,
2024-08-09T17:36:09.391 OVPN:>STATE:1723221369,WAIT,,,,,,
2024-08-09T17:36:09.632 OVPN:>LOG:1723221369,,MANAGEMENT: >STATE:1723221369,AUTH,,,,,,
2024-08-09T17:36:09.634 OVPN:>STATE:1723221369,AUTH,,,,,,
2024-08-09T17:36:09.639 OVPN:>LOG:1723221369,,TLS: Initial packet from [AF_INET]x.x.x.x:446, sid=f193e150 255a05b2
2024-08-09T17:36:09.723 OVPN:>LOG:1723221369,,VERIFY OK: depth=1, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN XXX 2022-09-14 14:33:52 UTC) CA
2024-08-09T17:36:09.723 OVPN:>LOG:1723221369,,Validating certificate extended key usage
2024-08-09T17:36:09.725 OVPN:>LOG:1723221369,,++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-09T17:36:09.726 OVPN:>LOG:1723221369,,VERIFY EKU OK
2024-08-09T17:36:09.728 OVPN:>LOG:1723221369,,VERIFY X509NAME OK: O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
2024-08-09T17:36:09.729 OVPN:>LOG:1723221369,,VERIFY OK: depth=0, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
2024-08-09T17:36:09.880 OVPN:>LOG:1723221369,N,Connection reset, restarting [0]
2024-08-09T17:36:09.884 OVPN:>LOG:1723221369,I,SIGUSR1[soft,connection-reset] received, process restarting
2024-08-09T17:36:09.885 OVPN:>LOG:1723221369,,MANAGEMENT: >STATE:1723221369,RECONNECTING,connection-reset,,,,,
2024-08-09T17:36:09.886 Reconnecting, reset the wait for connection timer
2024-08-09T17:36:09.888 OVPN:>STATE:1723221369,RECONNECTING,connection-reset,,,,,
2024-08-09T17:36:09.889 OVPN:>HOLD:Waiting for hold release:20
2024-08-09T17:36:09.957 OVPN:>LOG:1723221369,D,MANAGEMENT: CMD ''
2024-08-09T17:36:09.959 OVPN:>LOG:1723221369,D,MANAGEMENT: CMD 'hold release'
2024-08-09T17:36:09.962 OVPN:SUCCESS: hold release succeeded
2024-08-09T17:36:09.968 OVPN:>LOG:1723221369,I,TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:446
2024-08-09T17:36:09.972 OVPN:>LOG:1723221369,,Socket Buffers: R=[65536->65536] S=[65536->65536]
2024-08-09T17:36:09.976 OVPN:>LOG:1723221369,I,Attempting to establish TCP connection with [AF_INET]x.x.x.x:446 [nonblock]
2024-08-09T17:36:09.980 OVPN:>LOG:1723221369,,MANAGEMENT: >STATE:1723221369,TCP_CONNECT,,,,,,
2024-08-09T17:36:09.982 OVPN:>STATE:1723221369,TCP_CONNECT,,,,,,
Any ideas? It's a T80
They have a modem/router from their ISP before the watchguard, i've cycled this too but no joy.
Thanks
Rob
Comments
I can't provide watchguard traffic monitor logs until Monday when I can remote into a PC there.
I can see these errors, certificate problem? Any ideas how I can fix this:
970-01-02 03:43:17 sslvpn (sslvpn) depth=1, subject=O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN C03807315644A 2022-09-14 14:33:52 UTC) CA: The certificate validity starts in the future
1970-01-02 03:43:17 sslvpn (sslvpn) depth=0, subject=O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Client: The certificate validity starts in the future
1970-01-02 03:43:17 sslvpn (sslvpn) read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
I'm assuming this is the issue but not sure how to fix.
Am I supposed to buy a certificate for Watchguard T80 devices? Or are they included for the SSL VPN? I know the web interface is a self signed certificate. How does the SSL VPN one work?
Review this:
Regenerate new certificates for Mobile VPN with SSL
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3EdSAI&lang=en_US
@Bruce_Briggs I found the issue but no idea why is happened. It appears the customer restarted the device to try and get the internet back. However the system time and date was somehow reset to 1970! I just figured that out by looking at the Traffic logs, and it was dated and timed incorrectly. I downloaded the Watchguard System Manager and did a Time Sync which has fixed the issue, is this normal? Will I need to resync time after each reboot? Seems odd to me?
VPN is working now but in System Manager Details area it says:
Config Updated: 05:06GMT 1/2/70
So the config update date is still wrong?
I'm also getting Warnings on the right about Antivirus and Botnet signature versions.
Any ideas what is going on with the whole date thing? Do I somehow need to keep this device in sync with my PC?
Thanks!
Rob
NTP enabled?
Enable NTP and Configure NTP Servers
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/NTP_server_enable_add_c.html
Could be related to the need to reboot the ISP router.
However, if NTP is enabled on the firewall, it should get the correct date/time eventually, once it has Internet access and has available NTP servers to query.
@Bruce_Briggs thanks NTP was not ticked, no idea why but have now ticked it. Do I need to worry about the configuration file date that said 1970? or the botnet/antivirus update definitions being out of date, I guess it will auto download/update.
I have my signature auto-update set to 2 hours.
But, I often see that there is an available signature update. I just ignore it as it will be updated within 2 hours.
Once your firewall has the correct date/time, and the end PC has the correct time, save configs should end up with the correct date/time.
thanks for all your help Bruce.