Comments

  • I apologize. I should have followed up sooner. After doing research, I discovered that I didn't configure the SSO settings on the Firebox or my DC server. I was able to get it working. Thank you Bruce for responding!
  • I guess my point is it doesn't seem like there's an obvious setting I can tweak to get it working. It seems like the only sure way to fix it is to tear it down and build it back up again.
  • It sounds like the lack of certificate is the reason why it can't form an HTTPS connection. It still points to a device issue in my opinion though. I don't see a reason why it isn't issuing a certificate when the certificate settings are more or less identical between the two devices.
  • Ok, this is interesting. The working firebox has a valid self-signed certificate while the other one does not have one at all. I'm looking at my certificate settings on both fireboxes and they appear to be the same.
  • Yes. My assumption is the port check tool site attempts to connect to the specified port on my public IP (the Firebox) and says whether it can or not. I tested port 443 from the LAN where the Firebox VPN works and it said there wasn't anything blocking port 443. On the other one it said the connection was refused. The…
  • I should have also mentioned that I used https://www.portchecktool.com/ to test my ports. I ran it from a workstation at the site where the Firebox in question is. It can't connect to port 80, 8080, or 25 saying that the connection timed out. To me, that seems consistent with the ISP blocking the ports which it's currently…
  • I called my ISP and was told they don’t filter HTTPS traffic (for business customers at least). On my account dashboard, I have the ability to block port 80, 8080, and 25 traffic but not 443. The Firebox in question is connected via Ethernet to a modem which goes out to the ISP. There are no other on-site routers between…
  • I appreciate it. At this point, all evidence points to an issue with the device itself. I’m going to try a factory reset as a last ditch effort and see if that works.
  • Yes, I use a Windows 10 laptop with my phone’s hotspot. Same computer I can connect to one Firebox and not the other, so I don’t think it’s the software.
  • I did it again! But yes I used the actual public IP when trying to access it.
  • Sorry if it wasn't clear. I didn't want to post the actual IP address so I typed and I guess it dropped it.
  • It's in the initial post. When I go to https://public-ip/sslvpn.html, I get an error saying that the site cannot be reached because it refused to connect. I tried accessing it from the Chrome browser as well as Microsoft Edge with the same result. The fact that it's refusing to connect leads me to believe that it's able to…
  • I spoke to our ISP and they said they don't block port 443. I'm thinking at this point it has to be a device level issue.
  • Good thought. I'm not very familiar with what power ISP's having to block HTTPS connections, but it is a possibility. I'm going to reach out to them and see what I can find out. Thanks!
  • No luck. I tried rebooting it twice. I think I’m going to try backing up the settings and factory reseting it. At this point, that seems like the only other thing to try.
  • I'm using the Web UI and I have the same NTP servers configured as well. At this point, I'm going to wait until tomorrow when no one's in the office and try rebooting it. There seems to be no rhyme or reason why it's not working. I'll let you know if doing that resolves the issue. I really appreciate all your help!
  • I configured the WatchGuard SSLVPN policy the way you said and enabled logging. I'm still not seeing anything in the traffic monitor. I did notice something peculiar though. The time in the traffic monitor is 4 minutes off from my computer's system time. I checked the NTP settings and it's configured the same as the one…
  • The Data Channel is set to TCP port 443 in the Mobile VPN with SSL -> Advanced tab
  • I see. This is the log message I get when I try to connect: 2021-06-18T15:28:41.936 Requesting client configuration from x.x.x.166:443 2021-06-18T15:28:44.107 FAILED:2021-06-18T15:28:54.980 FAILED:Cannot perform http request 12029 2021-06-18T15:28:54.980 failed to get domain name
  • I went to Diagnostic Log and made sure VPN SSL was set to error. I've been parsing the Traffic Monitor page to see if there's anything related to the VPN after I try connecting, but can't seem to find anything.
  • Yes, I can connect to my other firewall without issue. I believe the firewall policies are added automatically when the Activate Mobile VPN with SSL box is activated, so that shouldn't require any tweaking. I also made sure that my user account was added to the SSLVPN-Users group. The only other thing I can think of is a…
  • I've tried unchecking the Activate Mobile VPN with SSL box, saving then re-enabling it and saving again but it did not work. I get a bunch of these deny messages in the traffic monitor when I try to connect to the VPN. It's hard to make sense of it, but it seems like it may be related to firewall policies. It's strange…
  • So it turns out that the passphrase on each end of the tunnel didn't match. Once I corrected that, it started working. Thank you for the response!
  • I should probably also mention that that the tunnel will go up for a a couple of minutes then go down with the warning about the keep-alive negotiation failure. It never stays up for very long.
  • They're both static IPs assigned by the ISP. Unfortunately, I don't have access to the logs at this moment because the other office is over an hour away. This may sound trivial, but the IP that I need to assign to the BOVPN gateway should be the IP of the external interface (x.x.x.x/29) and not the gateway, correct?