Troubleshoot Mobile VPN with SSL

This topic describes common problems and solutions for Mobile VPN with SSL:

Log Messages

To view log messages for events related to Mobile VPN with SSL:

  1. Set the diagnostic log level for SSL VPN.
  2. Open Traffic Monitor.
  3. Click the Search icon Search icon and type the Firebox IP address that SSL VPN users connect to.
  4. After you troubleshoot the problem, reset the diagnostic log level to the previous setting. The default setting is Error.

We do not recommend that you select the highest logging level (Debug) unless a technical support representative directs you to do so while you troubleshoot a problem. When you use the highest diagnostic log level, the log file can fill up very quickly and performance of the Firebox can be reduced.

For information about log messages on the Mobile VPN with SSL client, go to Download, Install, and Connect the Mobile VPN with SSL Client.

Download Issues

If users cannot download the Mobile VPN with SSL client from the Firebox:

  • Make sure users connect to your Firebox with the correct URL and port number. In the Mobile VPN with SSL configuration, the Configuration Channel setting specifies the port number for client downloads. If you keep the default port number (443), make sure users connect tohttps://[Firebox IP address]/sslvpn.html to download the Mobile VPN with SSL client.
  • If you specify a configuration channel port other then 443, make sure that users connect to https://[Firebox IP address]:[port]/sslvpn.html to download the Mobile VPN with SSL client.
  • Make sure you have not disabled the Mobile VPN with SSL software downloads page hosted by the Firebox. If you disable this page, users cannot download the Mobile VPN with SSL client from the Firebox. For more information about the CLI command that disables the download page, go to Plan Your Mobile VPN with SSL Configuration.

If users still cannot download the Mobile VPN with SSL client from the Firebox:

If users have installed the Mobile VPN with SSL client but cannot download an updated configuration:

  • If the error "Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?" shows, tell users to click Yes to make a VPN connection unless you have changed the Mobile VPN with SSL settings in your Firebox configuration. If users click Yes, the client does not automatically receive configuration changes. If you change the Mobile VPN with SSL configuration on the Firebox, you must manually distribute the update to users who cannot download it from the Firebox.

In Fireware versions lower than v11.x, the authentication and client configuration port is 4100.

Installation Issues

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

The Firebox has version requirements for TLS connections:

SSL VPN client connections

In Fireware v12.5.4 or higher, the Firebox requires the SSL VPN client to support TLS 1.2 or higher.

In earlier Fireware v12 releases, the Firebox requires the SSL VPN client to support TLS 1.1 or higher.

SSL VPN client download page

In Fireware v12.5.5 or higher, to download the client from the Firebox, your browser must support TLS 1.2 or higher. In earlier Fireware v12 releases, to download the client from the Firebox, your browser must support TLS 1.1 or higher.

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

Upgrade Issues

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

  • If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
  • If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

In Fireware v12.5.3 or higher, if the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message opens that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not show if a major version update is available.

In Fireware v12.5.2 or lower, if the client automatically detects that an upgrade is available, a message opens that asks you to upgrade. However, if you do not have administrator privileges, you cannot upgrade the client.

Connection Issues

The Mobile VPN with SSL client does not fully support IPv6 addresses. For Mobile VPN with SSL client v12.7.2, do not use IPv6 addresses in local network settings. For all Mobile VPN with SSL client versions, do not use IPv6 addresses in local network settings with macOS and iOS devices.

In Fireware v12.5 or higher, you must configure a RADIUS domain name. If your Firebox configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, users must type RADIUS as the domain name. In this case, if users type a domain name other than RADIUS, authentication fails. For more information, go to Download, Install, and Connect the Mobile VPN with SSL Client.

Connection Issues Related to AuthPoint Multi-Factor Authentication (MFA)

In Fireware v12.7 or higher, if you select AuthPoint as an authentication server in the Mobile VPN with SSL configuration, but users cannot authenticate through AuthPoint:

  • Review the configuration requirements for Fireware v12.7 or higher in the Firebox Mobile VPN with SSL Integration with AuthPoint integration guide.
  • For users who connect with the WatchGuard Mobile VPN with SSL client, make sure the client version is v12.7 or higher. There is no version requirement for the OpenVPN client.

Issues After Connection

If you cannot connect to network resources through an established VPN tunnel, go to Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.

Related Topics

About Mobile VPN with SSL

Plan Your Mobile VPN with SSL Configuration

Uninstall the Mobile VPN with SSL Client

About the Mobile VPN with SSL Security Alert