Mobile VPN ipsec on fireware 12.1.3 Firebox T30-W connection OK, but no network access.
Everything running perfectly for 7 years. Have to replace faulty Win Server 2016 with same config. All internal traffic ok. But when ussing Shrew VPN or Whatchguard mobile, connection, loggin, OK but no networking, resouerces or access to internal network. Help appreciated. Thanks
0
Sign In to comment.
Comments
Check your AD connection from the firewall.
Seems like it is being denied
Thanks Bruce. Seems something with Firewall but policies. I Have to reach server at local IP: 192.168.0.10. This is ShrewVPN log:
25/05/25 09:58:31 K< : recv GETSPI ESP pfkey message
25/05/25 09:58:31 ii : allocated spi for ESP sa
25/05/25 09:58:31 ii : - spi = 0xaaf52c18
25/05/25 09:58:31 ii : - src = 96.69.42.241:4500
25/05/25 09:58:31 ii : - dst = 192.168.1.54:4500
25/05/25 09:58:31 DB : sa ref increment ( ref count = 1, sa count = 0 )
25/05/25 09:58:31 DB : sa added
25/05/25 09:58:31 DB : sa ref increment ( ref count = 2, sa count = 1 )
25/05/25 09:58:31 DB : sa ref decrement ( ref count = 1, sa count = 1 )
25/05/25 09:58:31 K> : sent GETSPI ESP pfkey message
25/05/25 09:58:31 K> : sent GETSPI ESP pfkey message
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy ref increment ( ref count = 2, policy count = 6 )
25/05/25 09:58:31 ii : queueing ip packet
25/05/25 09:58:31 DB : policy ref decrement ( ref count = 1, policy count = 6 )
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy ref increment ( ref count = 2, policy count = 6 )
25/05/25 09:58:31 ii : queueing ip packet
25/05/25 09:58:31 DB : policy ref decrement ( ref count = 1, policy count = 6 )
25/05/25 09:58:31 ii : inspecting ARP request ...
25/05/25 09:58:31 DB : policy not found
25/05/25 09:58:31 ii : ignoring ARP request for 192.168.1.1, no policy found
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy ref increment ( ref count = 2, policy count = 6 )
25/05/25 09:58:31 ii : queueing ip packet
25/05/25 09:58:31 DB : policy ref decrement ( ref count = 1, policy count = 6 )
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy ref increment ( ref count = 2, policy count = 6 )
25/05/25 09:58:31 ii : queueing ip packet
25/05/25 09:58:31 DB : policy ref decrement ( ref count = 1, policy count = 6 )
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy ref increment ( ref count = 2, policy count = 6 )
25/05/25 09:58:31 ii : queueing ip packet
25/05/25 09:58:31 DB : policy ref decrement ( ref count = 1, policy count = 6 )
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy ref increment ( ref count = 2, policy count = 6 )
25/05/25 09:58:31 ii : queueing ip packet
25/05/25 09:58:31 DB : policy ref decrement ( ref count = 1, policy count = 6 )
25/05/25 09:58:31 ii : inspecting ARP request ...
25/05/25 09:58:31 DB : policy found
25/05/25 09:58:31 DB : policy not found
25/05/25 09:58:31 ii : spoofing ARP response for 192.168.0.10
First:
Shrewsoft hasn't been developed for many years (the last update was in 2013.)
Fireware 12.1.3 is from May 2018.
Fireware specifically has a patch available for an issue referred to as Cyclops Blink. You can find more information at https://detection.watchguard.com
(Fireware 12.5.9 Update 2 Release notes)
https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_5_9/index.html#Fireware/en-US/introduction.html
(Fireware 12.5.9 Update 2 for WSM install)
https://cdn.watchguard.com/SoftwareCenter/Files/XTM/12_5_9_U2/Firebox_OS_T30_T50_12_5_9_U2.exe
(Fireware 12.5.9 Update 2 for WebUI install)
https://cdn.watchguard.com/SoftwareCenter/Files/XTM/12_5_9_U2/Firebox_T30_T50_12_5_9_U2.zip
With that out of the way, if replacing the AD server is what broke your VPN, then authentication is likely not working. Look for logs with the "admd" process in them, they'll likely provide more information. If you see something along the lines of "acceptsecuritycontexterror" in your logs, it's very likely your AD server denying the authentication.
-James Carson
WatchGuard Customer Support
Thanks James!. Tried to update firmware, but no luck. My firebox T30-W won't accepted. We are replacing it on Wensday. I know about the old ShrewVPN but also the same with Watchguard mobile.
2025-05-25 14:28:03 Deny 192.168.0.10 255.255.255.255 bootpc/udp 67 68 0-Macho-UHY Firebox Denied 351 128 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2025-05-25 14:28:04 Deny 192.168.111.16 192.168.0.10 dns/udp 61006 53 0-External 0-Macho-UHY Denied 69 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:04 Deny 192.168.111.16 192.168.0.10 dns/udp 62821 53 0-External 0-Macho-UHY Denied 61 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:04 Deny 192.168.111.16 192.168.0.10 dns/udp 54857 53 0-External 0-Macho-UHY Denied 64 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:05 Deny 192.168.111.16 8.8.8.8 dns/udp 62821 53 0-External 0-External Denied 61 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:05 Deny 192.168.111.16 8.8.8.8 dns/udp 54857 53 0-External 0-External Denied 64 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:05 Deny 192.168.111.16 8.8.8.8 dns/udp 63330 53 0-External 0-External Denied 71 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:06 Allow 192.168.0.254 192.168.0.30 ssh/tcp 50942 22 Firebox 0-Macho-UHY Allowed 52 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 8 S 1627959606 win 29200"
2025-05-25 14:28:11 Deny 192.168.111.16 192.168.0.10 dns/udp 49710 53 0-External 0-Macho-UHY Denied 66 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:11 Deny 192.168.111.16 192.168.0.10 dns/udp 52803 53 0-External 0-Macho-UHY Denied 61 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:11 Deny 192.168.111.16 192.168.0.10 dns/udp 61638 53 0-External 0-Macho-UHY Denied 62 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:12 Deny 192.168.111.16 8.8.8.8 dns/udp 49710 53 0-External 0-External Denied 66 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:12 Deny 192.168.111.16 8.8.8.8 dns/udp 61638 53 0-External 0-External Denied 62 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:12 Deny 192.168.111.16 8.8.8.8 dns/udp 52803 53 0-External 0-External Denied 61 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:12 Deny 192.168.111.16 192.168.0.10 dns/udp 54361 53 0-External 0-Macho-UHY Denied 62 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:12 Deny 192.168.111.16 192.168.0.10 dns/udp 49682 53 0-External 0-Macho-UHY Denied 87 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:13 Allow 192.168.0.10 192.175.48.1 dns/udp 54624 53 0-Macho-UHY 0-External Allowed 163 127 (DNS-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="96.69.42.241"
2025-05-25 14:28:13 Deny 192.168.111.16 192.168.0.10 dns/udp 50886 53 0-External 0-Macho-UHY Denied 70 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:13 Deny 192.168.111.16 8.8.8.8 dns/udp 54361 53 0-External 0-External Denied 62 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:13 Deny 192.168.111.16 8.8.8.8 dns/udp 49682 53 0-External 0-External Denied 87 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:14 Deny 192.168.111.16 8.8.8.8 dns/udp 50886 53 0-External 0-External Denied 70 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:14 Deny 162.62.58.193 96.69.42.241 icmp 0-External Firebox Denied 48 242 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2025-05-25 14:28:16 Deny 192.168.111.16 192.168.0.10 dns/udp 64275 53 0-External 0-Macho-UHY Denied 66 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
2025-05-25 14:28:16 Deny 192.168.111.16 192.168.0.10 dns/udp 63105 53 0-External 0-Macho-UHY Denied 62 63 (Unhandled MUVPN Packet.in-00) proc_id="firewall" rc="101" msg_id="3000-0148" src_user="Administrator@machoasociados.local"
Mobile VPN ipsec log:
25/05/2025 18:56:41 - Authentication=XAUTH_INIT_PSK,Encryption=AES,Hash=SHA_256,DHGroup=14,KeyLen=256
25/05/2025 18:56:41 - Ike: VPN - ARG2 ->Support for NAT-T version - 2
25/05/2025 18:56:41 - Ike: Turning on NATD mode - VPN - ARG2 - 1
25/05/2025 18:56:41 - IPSec: set_local_properties, adapterindex=201,ikelocalip=192.168.1.54
25/05/2025 18:56:41 - IPSec: Final Tunnel EndPoint is=96.69.42.241
25/05/2025 18:56:41 - Ike: ike_phase1:recv_id:ID_IPV4_ADDR:pid=0,port=0,96.69.42.241
25/05/2025 18:56:41 - Ike: ConRef=4, XMIT_MSG3_AGGRESSIVE, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:41 - Ike: IkeSa1 negotiated with the following properties -
25/05/2025 18:56:41 - Authentication=XAUTH_INIT_PSK,Encryption=AES,Hash=SHA_256,DHGroup=14,KeyLen=256
25/05/2025 18:56:41 - Ike: Turning on DPD mode - VPN - ARG2
25/05/2025 18:56:41 - Ike: phase1:name(VPN - ARG2) - connected
25/05/2025 18:56:41 - SUCCESS: IKE phase 1 ready
25/05/2025 18:56:41 - IPSec: Phase1 is Ready,AdapterIndex=201,IkeIndex=4,LocTepIpAdr=192.168.1.54,AltRekey=1
25/05/2025 18:56:41 - Ike: ConRef=4, RECV_XAUTH_REQUEST, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:41 - Ike: ConRef=4, XMIT_XAUTH_REPLY, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:43 - IkeCfg: RECV_IKECFG_SET - VPN - ARG2
25/05/2025 18:56:43 - IkeCfg: XMIT_IKECFG_ACK - VPN - ARG2
25/05/2025 18:56:43 - Ike: ConRef=4, RECV_XAUTH_SET, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:43 - Ike: ConRef=4, XMIT_XAUTH_ACK, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:43 - IkeCfg: name - IkeXauth: enter state open
25/05/2025 18:56:43 - SUCCESS: Ike Extended Authentication is ready
25/05/2025 18:56:44 - IPSec: Quick Mode is Ready: IkeIndex=4,VpnSrcPort=10954
25/05/2025 18:56:44 - IPSec: Assigned IP Address:IPv4=192.168.11.3,IPv6=0.0.0.0
25/05/2025 18:56:44 - IPSec: Assigned IP Network Mask:IPv4=255.255.255.0,IPv6=0.0.0.0
25/05/2025 18:56:44 - IPSec: Gateway IP Address:IPv4=0.0.0.0,IPv6=0.0.0.0
25/05/2025 18:56:44 - IPSec: Primary DNS Server: 192.168.0.10
25/05/2025 18:56:44 - IPSec: Secondary DNS Server: 8.8.8.8
25/05/2025 18:56:44 - IPSec: Primary WINS Server: 192.168.0.10
25/05/2025 18:56:44 - IPSec: Secondary WINS Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Primary NCP SEM Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Secondary NCP SEM Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Primary DNS6 Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Secondary DNS6 Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Primary NCP SEM6 Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Secondary NCP SEM6 Server: 0.0.0.0
25/05/2025 18:56:44 - IPSec: Domain is: MACHOASOCIADOS.local
25/05/2025 18:56:44 - IkeQuick: ike_phase2:send_id1:ID_IPV4_ADDR:pid=0,port=0,192.168.11.3
25/05/2025 18:56:44 - IkeQuick: ike_phase2:send_id2:ID_IPV4_ADDR_SUBNET:pid=0,port=0,0.0.0.0 - 0.0.0.0
25/05/2025 18:56:44 - Ike: ConRef=4, XMIT_MSG1_QUICK, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:45 - IkeQuick: Received Notify(VPN - ARG2) -> remote is reducing LifeTime to 28800
25/05/2025 18:56:45 - Ike: ConRef=4, RECV_MSG2_QUICK, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:45 - IkeQuick: Turning on PFS mode(VPN - ARG2) with group 14
25/05/2025 18:56:45 - IkeQuick: ike_phase2:recv_id1:ID_IPV4_ADDR:pid=0,port=0,192.168.11.3
25/05/2025 18:56:45 - IkeQuick: ike_phase2:recv_id2:ID_IPV4_ADDR_SUBNET:pid=0,port=0,0.0.0.0 - 0.0.0.0
25/05/2025 18:56:45 - Ike: ConRef=4, XMIT_MSG3_QUICK, name=VPN - ARG2, vpngw=96.69.42.241:4500
25/05/2025 18:56:45 - IkeQuick: phase2:name(VPN - ARG2) - connected
25/05/2025 18:56:45 - SUCCESS: Ike phase 2 (quick mode) ready
25/05/2025 18:56:45 - IPSec: Conref=4, Created an IPSEC SA with the following characteristics
25/05/2025 18:56:45 - Gateway=96.69.42.241,NatdMode=1,Roamingcon=0
25/05/2025 18:56:45 - srcranges=[192.168.11.3:0-192.168.11.3:65535],
25/05/2025 18:56:45 - dstranges=[0.0.0.0:0-255.255.255.255:65535],
25/05/2025 18:56:45 - IPSec:ConRef=4 connected: Effective ESP LifeDuration in Seconds = 20160 and in KiloBytes = 0,Effective IKE lifetime=20156
25/05/2025 18:56:45 - IPSec: Connected to VPN - ARG2 on channel 1.
25/05/2025 18:56:45 - ncpadapter: set IP adapter properties
25/05/2025 18:56:45 - ncpadapter: set ipv4 properties,ip4adr=192.168.11.3,ip4selneg=1
25/05/2025 18:56:45 - ncpadapter: set_ip4_properties, manual=0
25/05/2025 18:56:45 - System: Setting NCP virtual adapter linkstatus=1,laststate=0.
25/05/2025 18:56:45 - System: Setting NCP virtual adapter linkstatus=1,laststate=1.
25/05/2025 18:56:45 - PPP(Ipcp): connected to VPN - ARG2 with IP Address: 192.168.11.3
25/05/2025 18:56:45 - SUCCESS: IpSec connection ready
25/05/2025 18:56:45 - ipdhcp: xmit response,f_param.yiaddr=192.168.11.3
25/05/2025 18:56:45 - ipdhcp: xmit response,f_param.yiaddr=192.168.11.3
25/05/2025 18:56:45 - Link: dhcp ack sent
25/05/2025 18:56:46 - DhcpV6: received MSG_CONFIRM, adapterstate=2
25/05/2025 18:56:47 - DhcpV6: received MSG_CONFIRM, adapterstate=2
25/05/2025 18:56:47 - Link: iphlp_renew_done
25/05/2025 18:56:47 - SUCCESS: Link -> IP address assigned to IP stack - link is operational.
25/05/2025 18:56:47 - osspecific_add_dns: cmdline=netsh interface ipv4 add dnsservers 11 192.168.0.10 validate=no
25/05/2025 18:56:47 - osspecific_add_dns: cmdline=netsh interface ipv4 add dnsservers 11 8.8.8.8 validate=no
25/05/2025 18:56:47 - INFO - MONITOR: Connected -> VPN - ARG2
25/05/2025 18:56:47 - INFO - MONITOR: Media=Wi-Fi, Tx=7704 Byte, Rx=0 Byte
25/05/2025 18:56:48 - INFO - MONITOR: SSID=
25/05/2025 18:56:48 - DhcpV6: received MSG_CONFIRM, adapterstate=2
25/05/2025 18:56:50 - osspecific_add_dns: cmdline=netsh interface ipv4 add dnsservers 11 192.168.0.10 validate=no
25/05/2025 18:56:50 - osspecific_add_dns: cmdline=netsh interface ipv4 add dnsservers 11 8.8.8.8 validate=no
25/05/2025 18:56:53 - DhcpV6: received MSG_SOLICIT, adapterstate=2
25/05/2025 18:56:54 - DhcpV6: received MSG_REQUEST, adapterstate=2
25/05/2025 18:57:04 - Ike: ConRef=4, NOTIFY : VPN - ARG2 : SENT : NOTIFY_MSG_R_U_HERE : 36136
25/05/2025 18:57:04 - Ike: ConRef=4, NOTIFY : VPN - ARG2 : RECEIVED : NOTIFY_MSG_R_U_HERE_ACK : 36137
@matias25
The "Unhandled MUVPN Packet.in-00" means that the firewall is not getting the user's group back from your authentication server or the user has the wrong IPSec profile selected in their VPN client.
Whatever the profile name is for your VPN should match the group name in AD. Make sure that your user is a member of that security group.
You can use the server connection tool in the WebUI to see if you're getting group information back from your AD server:
(Server Connection)
https://www.watchguard.com/help/docs/help-center/en-US/content/en-US/Fireware/system_status/test_server_connection_web.html
-James Carson
WatchGuard Customer Support
James, that was it!!! Many thanks. Genius! Regards.