Troubleshoot Mobile VPN with IPSec
This topic describes common types of problems you might encounter with Mobile VPN with IPSec, and describes the solutions that most often resolve these problems. Even after the IPSec VPN client connects, client traffic might not be able to reach some network resources because of network or policy configuration problems.
If you select Online Activation in WatchGuard IPSec Mobile VPN client, and activation fails, one of these error messages might appear:
Software activation error. Error number: 10103-1. An error occurred when activating the software. The maximum number of activations was exceeded.
This error can occur when the license key is in use on another system. If you have uninstalled the client from that other system, contact WatchGuard Customer Care and provide:
- The serial and license information from your confirmation email
- Screenshots of the activation wizard with the serial number and license filled in, and the error message
Invalid license key or serial number
This error can occur when:
- You installed the IPsec Client from NCP, not the WatchGuard Mobile VPN with IPsec Client. The license keys for the WatchGuard-branded client do not work for activation of the client from NCP.
- You attempted to activate with the incorrect serial number, such as the serial number of your Firebox. Make sure to use the IPSec Mobile VPN client serial number you received in the confirmation email.
If the VPN client can connect to a network resource by IP address, but not by name, the client device might not have the correct WINS and DNS information for your network. Your Firebox automatically provides client devices with the WINS and DNS IP addresses configured in the global WINS/DNS settings on your device.
For information about how to configure WINS and DNS IP addresses, see Configure WINS and DNS Servers.
If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name to connect, this indicates that the DNS suffix is not defined on the client. When you use Mobile VPN with IPSec with the Shrew Soft client, WatchGuard Mobile VPN with IPSec (NCP) client, or any other supported client, the Firebox assigns the VPN client the DNS settings configured for the Firebox. It does not assign the DNS suffix.
A client that does not have an assigned DNS suffix must use the entire DNS name to resolve an address. For example, if your terminal server has a DNS name of RDP.example.net, users cannot type the address RDP to connect with their terminal server clients. Users must also type the DNS suffix, example.net.
To resolve this problem, you can add the DNS suffix in the configuration of the Mobile VPN client. For instructions, see these articles in the WatchGuard Knowledge Base:
On the authentication server used for the Mobile VPN, verify that the user is a member of a group that exactly matches the Mobile VPN with IPSec group profile name. For example, if the Mobile VPN with IPSec group profile name is ipsec-users, and it is configured to use an Active Directory domain, you must make sure that each mobile VPN user is a member of the ipsec-users group on the Active Directory server. Make sure the text and case of the Active Directory group name exactly matches the Mobile VPN with IPSec group name.
For RADIUS, SecurID, and VASCO authentication, the authentication server must return the group membership as the Filter-ID attribute.
For more information about Mobile VPN with IPSec group membership, see Configure the External Authentication Server.
When you initially create a Mobile VPN with IPSec profile, a policy is automatically created that allows traffic on all ports and protocols to all networks that were defined in the Allowed Resources section of the Mobile VPN configuration. If you later modify the Allowed Resources in the Mobile VPN with IPSec profile, you must also edit the Allowed Resources in the Mobile VPN with IPSec policy to match the network addresses in the updated Mobile VPN with IPSec profile.
For more information about how to edit the policy, see Configure Policies to Filter IPSec Mobile VPN Traffic.
If your VPN clients can connect to certain parts of the network, but not others, or traffic otherwise fails when log messages show that traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:
- The virtual IP address pool for Mobile VPN with IPSec clients does not overlap with any IP addresses assigned to internal network users.
- The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
- If the Mobile VPN with IPSec users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.
For more information about how to configure the virtual IP address pool, see Modify an Existing Mobile VPN with IPSec Group Profile.
If you cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.