Firewall denied traffic from authenticated user as Unhandled external traffic

Hi,

M370 12.7.2

I can´t get traffic flowing on policies where the source is a authenticated user and traffic is comming from a bovpn tunnel.

Below is the user authenticated with success and a policy exists allowing the user to rdp into the destination ip address, but firewall denies the traffic with Unhandled External Packet-00.

Do fireware not support this kind of traffic flow?

2021-11-25 14:30:43 NetGroup-HA1 admd Authentication of Firewall user [username] from Remote_IP_Address was accepted msg_id="1100-0004" Event

2021-11-25 14:30:43 NetGroup-HA1 sessiond Firewall user username from Remote_IP_Address logged in msg_id="3E00-0002" Event

2021-11-25 14:30:43 NetGroup-HA1 wgcgi Remote ip(Remote_IP_Address) is not an agent address Debug

2021-11-25 14:30:54 NetGroup-HA1 Deny Remote_IP_Address Destination_IP_Address rdp/tcp 61211 3389 TunnelToMicroComASA Internal Network Denied 52 126 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 2802578276 win 32" src_user="username" Traffic

Regards
Robert

Comments

  • The deny is for the remote IP addr, which is presumably not allowed over the VPN.
    If the user VPNs in, then would get a local IP addr, and then should work

  • @Bruce_Briggs said:
    The deny is for the remote IP addr, which is presumably not allowed over the VPN.
    If the user VPNs in, then would get a local IP addr, and then should work

    The remote ip is allowed - and if i choose to set the policy source as the ip address instead of the authenticated AD user, it works, so it´s not policy issue.

  • Interesting

  • I have opened a case today. Let´s see what they say.

  • I don´t know what to say about WG support. I´m impressed how bad the support is sometimes.

    I wrote to the support person after some conversation, if he did not know the answer then escalate the case. He´s response:

    Please take notes that I'm not here to give you an answer to your problem, I'm here to gather all the information I can to be able to escalate and help you to the resolution of the issue you are encountering

    So first line support do not do support, they only gather information! Waste of time.

    Then the next support person says i have to create a vpn policy from the vpn menu (which do not solve my issue) and will only open up for more sources than needed.

    What a bad advice.

  • Case opened 01613256

  • This was caused by mismatch is username where MS AD was in all lower capital letters and the Watchguard username had a Upper capital letter.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @rv@kaufmann.dk
    Ah, the name mismatch --
    I generally recommend using a group for this as the group will always return the same way from the AD server. Even if the group is just for one user, it will prevent this.

    -James Carson
    WatchGuard Customer Support

  • @james.carson

    Yep, total end user mistake :)
    Need vacation soon.
Sign In to comment.