VPN with SSL couldnt read configuration

Hi all,

I am trying to connect with wg ssl mobile client 12.2 to my Firebox XTM 515 with latest firmware, but every time I become a message "watchguard firebox ssl could not read configuration".

Mobile IPSec is working well in my case.

Please for an advice.

Thanks.

Comments

  • Latest firmware for an XTM 515 meaning Fireware v12.1.3 Update 3 ?

    Could be that the connection is not actually making it to your firewall or that your UserID/password is not correct.

    What do you see in Traffic Monitor when this access is tried?

    You can turn on diagnostic logging for SSLVPN which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Do you have anything running on port 443 (https) other than your SSLVPN, or did you change the port number for the SSLVPN?

    If so, you'll need to specify the right port like
    vpn.example.com:444

    If you're still unable to get this to work, creating a support case is probably your best bet, so that one of our technicians can help.

    -James Carson
    WatchGuard Customer Support

  • @Bruce_Briggs said:
    Latest firmware for an XTM 515 meaning Fireware v12.1.3 Update 3 ?

    Could be that the connection is not actually making it to your firewall or that your UserID/password is not correct.

    What do you see in Traffic Monitor when this access is tried?

    You can turn on diagnostic logging for SSLVPN which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

    Latest firmware I mean exactly as You wrote - 12.1.3U3.
    The connection was directly to my firewall and I used correct user/pass (the same user works on IPSec with ShrewSoft client).

    The problem was with another SSL port - I changed default 443 -> 442 because of collision with HTTPS. Now work everything well.

  • @James_Carson said:
    Do you have anything running on port 443 (https) other than your SSLVPN, or did you change the port number for the SSLVPN?

    If so, you'll need to specify the right port like
    vpn.example.com:444

    If you're still unable to get this to work, creating a support case is probably your best bet, so that one of our technicians can help.

    As I already said to Bruce, the problem was that I didn't fill the port in the end (:442). Thanks for valuable advice!!

  • Hi guys,

    I have another question after all - how to enable more subnets through SSL tunnel. In IPSec VPN connection it works - there are Branch Office Tunnels for IPSec defined, but if I try to "Specify allowed resources" in Mobile VPN/SSL, it doesn't work.

    Any help will be appreciated.

    Thanks.

  • If your goal is to route SSLVPN traffic over a BOVPN, then you need to add the SSLVPN subnet to your BOVPN Tunnel settings.
    BOVPN Tunnel settings identify what packets will be routed through the BOVPN.

  • I have added SSLVPN subnet to all tunnel routes which I need, but it still doesn't work.

  • Please explain where the subnets are that you can not access with a SSLVPN session.
    Do you have the "Routed VPN traffic" option seelcted and "Force all client traffic through tunnel" check box selected in your SSLVPN setup on your firewall ?
    You should have both of these selected.

    Debugging help:
    . You can turn on Logging on WG SSLVPN policy to see packets allowed by this policy in Traffic Monitor
    . do a traceroute from your SSLVPN client to problem subnets and post the results. A traceroute will show the path that packets take

  • Yes, I am using routed VPN traffic and I tried all options (force/allow networks/specify resources), but any of them has worked.

    These subnets are specified in BO-Tunnels and all subnet-routes are configured inside. These BO-Tunnels are added in BOVPN-Allow policies and they works through IPSec connection.

Sign In to comment.