Troubleshoot Mobile VPN with SSL

This topic describes common problems and solutions for Mobile VPN with SSL:

Download Issues

If users cannot download the Mobile VPN with SSL client from the Firebox:

  • Make sure users connect to your Firebox with the correct URL and port number. In the Mobile VPN with SSL configuration, the Configuration Channel setting specifies the port number for client downloads. If you keep the default port number (443), make sure users connect tohttps://[Firebox IP address]/sslvpn.html to download the Mobile VPN with SSL client.
  • If you specify a configuration channel port other then 443, make sure that users connect to https://[Firebox IP address]:[port]/sslvpn.html to download the Mobile VPN with SSL client.
  • Make sure you have not disabled the Mobile VPN with SSL software downloads page hosted by the Firebox. If you disable this page, users cannot download the Mobile VPN with SSL client from the Firebox. For more information about the CLI command that disables the download page, see Plan Your Mobile VPN with SSL Configuration.

If users still cannot download the Mobile VPN with SSL client from the Firebox:

If users have installed the Mobile VPN with SSL client but cannot download an updated configuration:

  • If the error "Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?" appears, tell users to click Yes to make a VPN connection unless you have changed the Mobile VPN with SSL settings in your Firebox configuration. If users click Yes, the client does not automatically receive configuration changes. If you change the Mobile VPN with SSL configuration on the Firebox, you must manually distribute the update to users who cannot download it from the Firebox.

In Fireware versions lower than v11.x, the authentication and client configuration port is 4100.

Installation Issues

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

The Firebox has version requirements for TLS connections:

SSL VPN client connections

In Fireware v12.5.4 or higher, the Firebox requires the SSL VPN client to support TLS 1.2 or higher.

In earlier Fireware v12 releases, the Firebox requires the SSL VPN client to support TLS 1.1 or higher.

SSL VPN client download page

In Fireware v12.5.5 or higher, to download the client from the Firebox, your browser must support TLS 1.2 or higher. In earlier Fireware v12 releases, to download the client from the Firebox, your browser must support TLS 1.1 or higher.

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

In macOS 10.15 (Catalina) or higher, you must install v12.5.2 or higher of the WatchGuard Mobile VPN with SSL client. For more compatibility information, see the Fireware Release Notes.

Upgrade Issues

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

  • If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
  • If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

In Fireware v12.5.3 or higher, if the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message appears that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not appear if a major version update is available.

In Fireware v12.5.2 or lower, if the client automatically detects that an upgrade is available, a message appears that asks you to upgrade. However, if you do not have administrator privileges, you cannot upgrade the client.

Connection Issues

In Fireware v12.5 or higher, you must configure a RADIUS domain name. If your Firebox configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, users must type RADIUS as the domain name. In this case, if users type a domain name other than RADIUS, authentication fails. For more information, see Download, Install, and Connect the Mobile VPN with SSL Client.

To troubleshoot mobile VPN connection issues related to TDR Host Sensor Enforcement, see Troubleshoot TDR Host Sensor Enforcement.

Issues After Connection

If you cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.

See Also

About Mobile VPN with SSL

Plan Your Mobile VPN with SSL Configuration

Uninstall the Mobile VPN with SSL Client