Comments
-
From the Log Message Guide for 021A-0016: AUTH negotiation failed because peer sent a notification error message. Looks like TS = traffic selector Perhaps this Cisco bug??? Cisco Bug: CSCue42170 https://quickview.cloudapps.cisco.com/quickview/bug/CSCue42170
-
Open a support case & select Customer Care. In the case, tell them the issue & provide a picture of the model/serial number of your firewall. They should be able to get it assigned to your account.
-
We need more details about the need for a 10.20.20.1 IP addr here. Do you have a subnet anyplace in your config including 10.20.20.1? If not, then adding 10.20.20.1 as a secondary on eth1 should work - as long as whatever is down eth1 knows to route things back to eth1 for dest packets of 10.20.20.1, as presumably eth1 has…
-
On the Dynamic NAT setup, you can specify "Set source IP addr" which should resolve your issue. Dynamic NAT entry: From: your source subnet, source Interface name, etc. To: eth1 Interface name Set source IP addr: 10.20.20.1 Move this entry to the top of the list. Remove the 1-to-1 NAT entry no longer needed
-
I have no problem accessing your site. No idea why your customer has issues. It must be related to some settings on their firewall configuration.
-
Also, what is providing the DHCP addrs to the guest wifi VLAN? The firewall? If so, then that suggests that that the VLAN connection to it for the guest wifi VLAN is correct, but doesn't explain the connection issue. For problem resolution - Add an Any policy From: the guest wifi VLAN To: Any. Turn on Logging on it to see…
-
Could this be a trunk issue - the connection between the switch & the firewall? Have you connected this to a firewall interface defined as a VLAN interface? If so, have both VLANs been defined on it? And has at least one of them been marked as tagged? If so, has the tagged VLANs on the switch port which connects to the…
-
What do you see in Traffic Monitor when this access is tried?
-
To me, the dest IP address needs to the public IP address of the destination site, not an internal IP address at the WG site
-
The issue has been forwarded to development for further investigation. Selecting "Reinstall protection" via the vertical ellipsis (3 vertical dots) at the end of the specific computer entry did resolve the issue by installing the current version.
-
Just create a policy for that device's IP addr which does not require authentication. example: From: that IP addr To: Any-external or whatever Make sure that this new policy ends up above any existing policies for the port(s) (i.e. HTTPS etc.) involved.
-
My EDR Core update is failing & causing a reboot after the failure - thus I am still getting the update pop-up. Working with support on this. Will post any resolution.
-
We need more info. Is this for Authpoint or for the firewall authentication applet on TCP port 4100 or SSO ? If the authentication applet, what is causing it to be needed? A policy From: authenticated users?
-
You can't. You can set up a Blocked Sites Exception for an IP addr.
-
Add the remote subnet (24.25.26.0/22) to the BOVPN Tunnel Local/Remote entries at each end.
-
Create a support case and select Customer care, tell them what happened, and ask them to restore this device to your account for you.
-
And, if you haven't done so already, consider opening a support case if the above changes don't help.
-
This is a change to help with MTU issues related to packets going via a BOVPN. Since we don't know the real reason for what you see, this is just to try to eliminate one possible cause. In the past, WG support has suggested these changes when there were problems with HTTPS sites which were being accessed via a BOVPN. From…
-
Also, try this: On the external interface, in the Advanced section, change the Don't Fragment (DF) bit Setting for IPSec from Copy to Clear
-
Try changing the Global setting, Networking section, TCP MTU Probing from Disabled to "Always enabled", and see if that helps. Define Firebox Global Settings https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html
-
-Endpoint 1 - Received 'main mode' exchange type. Expecting aggressive mode. This says that the other end (Vigor) is expecting your end to be Main mode not aggressive in Phase 1. -No matching tunnel route for peer proposed local:192.168.0.0/24 This suggests that your Tunnel setting do not match what is set up on the Vigor.
-
https://www.watchguard.com/wgrd-blog/subscribe-email Select the item(s) of interest. Note that new release e-mail announcements normally come out some time after the official release, sometimes as much as several weeks. For example, I received the following e-mail on 4/9, but the release came out on 4/4. Not too much of a…
-
Remove the $true after SplitTunneling It doesn't seem to be needed from the MS docs. I modified the WG setup AddVPN.ps1 file and then ran the WGIKEv2.bat file for 2 other VPN configs, but not one for this goal. The ones that I added: . split tunneling . domain name suffix
-
I see the 3 AI options in both WSM Policy Manager & the Web UI, running V12.10.3 There is this fix in 12.10.3: . After you upgrade WSM, Policy Manager now includes the latest WebBlocker categories. [FBX-26290]
-
Works for me, including the below format, using V12.10.3 Firebox System Manager: -I eth0 94.140.15.15 result from dns.adguard.com
-
Note that you can have multiple subnets at each site - so the main subnet a 1 site could be .245.0/24 while there is small .254.x/? subnet at it too.
-
You are switching from a bridge setup to a routing setup. In a routed environment, nothing for the local subnet will be routed anyplace else. NAT won't help to get from a .254.x subnet to a different location with a .254.x IP addr. One would need to send packets to a different subnet than .254.x to get packets routed to a…
-
The P2P link needs to be connected to each firewall for this to work, not via your switches.
-
Could be that you need 2 different policies - 1 for internal access & 1 for external access. SD-WAN should only be used on policies where the traffic is expected to go out an external interface.
-
In WSM Policy Manager, there is an Edit -> Find option, which allows one to search policies for: Address (IP,, Network, User, Alias, FQDN, etc.), Port number, Protocol, Tag This is in addition to be able to sort on the columns, such as Protocol, Policy Name, From, To, Port, etc.