Troubleshoot Mobile VPN with IKEv2

This topic describes common problems and solutions for Mobile VPN with IKEv2:

Log Messages

In Fireware Web UI or Fireware System Manager, you can see log messages for Mobile VPN with IKEv2 on the Traffic Monitor page. You can also change the log level to help you troubleshoot.

To change the diagnostic log level for Mobile VPN with IKEv2:

  1. Set the diagnostic log level for IKE VPN.
    To troubleshoot Mobile VPN with IKEv2 connections, you do not have to select the Enable logging for traffic sent from this device check box. This setting applies to traffic sent by the Firebox itself, which is also known as Firebox-generated traffic or self-generated traffic.
  2. Open Traffic Monitor.
  3. Click the Search icon and type the Firebox IP address that IKEv2 VPN users connect to.
  4. After you troubleshoot the problem, reset the diagnostic log level to the previous setting. The default setting is Error.

For information about log messages in WatchGuard Cloud, see Log Messages.

We do not recommend that you select the highest logging level (Debug) unless a technical support representative directs you to do so while you troubleshoot a problem. When you use the highest diagnostic log level, the log file can fill up very quickly and performance of the Firebox can be reduced.

Installation Issues

Connection Issues

Account-Related Connection Issues

During the VPN connection process, the Firebox verifies the user's identity and group membership on the local database or an existing RADIUS server.

The user must be a member of:

  • The default IKEv2-Users group on the Firebox, or
  • A group explicitly added during Firebox configuration.

For these account-related connection issues, users see a general error message, such as:

Screen shot of an IKEv2 VPN connection error in Windows

To troubleshoot issues with AuthPoint authentication, see:

Issues After Connection

If users still cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.

See Also

Mobile VPN with IKEv2

Edit the Mobile VPN with IKEv2 Configuration

Troubleshoot TDR Host Sensor Enforcement