VPN SSL cannot stabilize in VMWare
Hello everyone, I am testing a "virtual machine" based firewall with VMWare Workstation FireboxV_12_5_4 with 2 External and Trusted network cards. I have access to the firewall from a client computer from System Manager without problem, Internet browsing without problem.
I have configured an SSL VPN and I cannot stabilize the VPN connection in the virtual machines by pointing to the IP External 192.168.1.200
It performs the validation of the VPN user correctly, but in the logs it denies the SYN packet:
2020-08-19 14:14:40 Deny 192.168.1.205 192.168.1.200 https/tcp 49678 443 0-External Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 56 128 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 A 2580218775 win 61690" Traffic
2020-08-19 14:14:40 Deny 192.168.1.205 192.168.1.200 https/tcp 49678 443 0-External Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 56 128 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 A 2580218775 win 61690" Traffic
2020-08-19 14:14:42 Deny 192.168.1.205 192.168.1.200 https/tcp 49678 443 0-External Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 72 128 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 A 2580218775 win 61690" Traffic
Any recommendation?
Thank you!
Comments
Hi @Deivid
VMWare workstation isn't a supported hypervisor, so the firewall may behave unexpectedly. "Syn check" means that the firewall is receiving TCP traffic out of order, or it's missing parts of the conversation (TCP requires a SYN, SYN/ACK, ACK to start, and a FIN, FIN/ACK, FIN to close.) If we're receiving these out of order, or getting traffic for a connection that was never opened, it may not all be being sent to the firewall via the unsupported hypervisor.
If you're looking to test, VMWare ESX 6 and 7 are free of charge for the base hypervisor license, and are supported -- I'd suggest starting there.
-James Carson
WatchGuard Customer Support
Thank you very much for answering.
I'd just uncheck the "Enable TCP SYN packet...." box in Global Settings > Networking tab. I stopped using it 10 years ago due to its random blocking of legitimate servers, such as some DNS servers (Google's, for one, and other sites.
Gregg Hill
Good afternoon, I have tried the change you mention, but with the same result. It should be noted that this error occurs in a virtual test environment within isolated subnets, with virtual networks. However, I have redeployed the same virtual environment, but with virtual networks pointing outwards, and it worked fine for me. Properly connecting mobile devices with Active Directory sync. Thank you very much for the contribution.