Client can't connect from one site with Public-WiFi but can from others

beastwezbeastwez
in Firebox - VPN Mobile User

Hi clever people. Could someone help me please?

Long story short we've got a T40 and a few sites. They all work spot on, apart from one council managed building which has a public wifi, and a gov wifi. Staff laptops connect to both SSIDs fine, and internet works. But then, when they try to connect to the VPN, the software shows "Waiting for connection. Waiting for the initial response from the server" and that's it, just sits there. I'm watching the firewall traffic at the same time, and it looks like it is connected, at our end, but it isn't at theirs.

Here are some snippets from the traffic log:-

2026-04-28 09:12:07 Deny 192.168.1.254 https/tcp 64223 443 External Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 214 121 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 A 1849555725 win 65535"

2026-04-28 09:12:08 admd Authentication of Firewall user [STAFFMEMBER@Firebox-DB] from was accepted msg_id="1100-0004"

2026-04-28 09:12:08 sslvpn Mobile VPN with SSL user STAFFMEMBER logged in. Virtual IP address is . Real IP address is . msg_id="2500-0000"

In the last example, the ip address is blank, I haven't deleted it.

Many thanks in advance!

Comments

  • Bruce_BriggsBruce_Briggs

    The blank IP addr is Known Issue FBX-27827
    Resolved In: Fireware v2026.2/v12.12

    "IP addresses missing from msg_id=2500-0000 log message"
    https://techsearch.watchguard.com/KB? type=Known%20Issues&SFDCID=kA1Vr0000008bIXKAY&lang=en_US

    Nothing else in Traffic Monitor for the logged in SSLVPN user?
    If not, try enabling logging on your Allow SSLVPN-Users policy or add a policy From: this userID To: whatever is desired, with Logging enabled.

  • Bruce_BriggsBruce_Briggs

    And you should be able to see the logged in IP addr in the Web UI -> System Status -> Authentication List

  • beastwezbeastwez
    edited May 7

    Thanks Bruce, emily has tried logging in from that particular site via gov wifi. She's the only one in the list who isn't being given an IP address, and her mobile VPN client window just pops back up asking for credentials.

    I've just enabled logging

    again

  • Bruce_BriggsBruce_Briggs

    My best guess is that the gov wifi is doing Inspect or similar and modifying the HTTPS packets.
    Can she try using a different VPN connection type?

  • beastwezbeastwez

    Hi Bruce, haven't tried a different VPN type - is it easy enough to set up?

  • Bruce_BriggsBruce_Briggs

    Yes.

    Mobile VPN with IKEv2
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_about_c.html

  • beastwezbeastwez
    Thanks can this be run alongside the current SSL connections or will everybody have to switch method
  • Bruce_BriggsBruce_Briggs

    You can have multiple client VPN types enabled on your firewall and on client PCs.
    I have SSLVPN, IKEv2 & (the old) IPSec set up on my firewall and have the clients set up on my laptop. I can use the one I want.

  • beastwezbeastwez
    Many thanks I will try and set it up this afternoon. I have no way of testing it until tomorrow as they are only at that site in the morning I have just found out
  • beastwezbeastwez

    Thanks Bruce, IKEv2 all set up and works fine for me. Will see what happens Tuesday when they next go to site

Sign In to comment.