Mobile VPN with SSL Connections Fail Over a Specific Network

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

If Mobile VPN with SSL connections fail from the primary network of a user, but succeed from other networks such as a mobile hotspot, this usually indicates interference on the upstream network, not a software issue on the client computer.

Because Mobile VPN with SSL uses encrypted traffic over TCP port 443 (or a custom protocol and port specified in the Firebox configuration), any upstream filtering, deep packet inspection, or blocked ports might prevent VPN tunnel negotiation. In these situations, traffic might not reach the Firebox and the Firebox might not generate any logs that show a connection attempt from the Mobile VPN with SSL client.

When the VPN configuration uses the UDP data channel and you set it to use port 443, security software and firewalls might identify Mobile VPN with SSL traffic as QUIC. Mobile VPN with SSL always uses TCP for the configuration channel.

Symptoms

Mobile VPN with SSL connection failures from a specific network might present these symptoms:

• Mobile VPN with SSL connects normally on a hotspot or other external network.
• Connections fail or drop intermittently on the home or corporate network.
• When the VPN configuration uses the UDP data channel, connections become unstable or fail immediately.
• No related logs appear on the Firebox because upstream systems block VPN traffic before it reaches the Firebox.

If the Firebox logs do not show any connection attempts, this might indicate that your ISP or another upstream network blocks the required ports for VPN traffic before it reaches the Firebox.

Diagnostic Steps

On the affected client computer:

1. Test Mobile VPN with SSL connections from an alternate network.
   • Connect from a mobile hotspot or guest Wi‑Fi. If the mobile VPN connection succeeds, the original network is likely the cause.
2. Verify required ports and protocols.
   • Open the TCP and UDP ports specified in the Mobile VPN with SSL configuration on all upstream devices:
     • Open the TCP port you specify for the authentication channel.
     • Open the UDP port you specify for the data channel when you enabled UDP mode.
     • Mobile VPN with SSL cannot establish a tunnel if upstream devices block these ports or protocols.
   • If you use UDP port 443 for the data channel, make sure the upstream device does not block QUIC.
3. Review these security controls in your network that might affect VPN traffic.
   • SSL content inspection, TLS decryption, or DPI.
   • Protocol or application filtering.
4. Review these upstream firewall configurations:
   • NAT rules.
   • Outbound ACLs (Access Control List).
   • Proxy restrictions or firewall policies.
5. Retest connections in TCP‑only mode:
   • If UDP or QUIC interference is possible, configure Mobile VPN with SSL to use TCP‑only mode on the Firebox. This helps you to isolate issues on UDP 443.

Possible Causes and Solutions

Possible Cause	Solution
Upstream firewall blocks the configuration channel or data channel ports (Defaults: TCP 443 and UDP 443)	Allow the TCP and UDP ports you configure for the configuration and data channels for outbound connections on the upstream firewall. If the VPN uses UDP port 443 for the data channel, make sure the upstream firewall does not block QUIC. For more information for a locally-managed Firebox, go to Choose the Port and Protocol for Mobile VPN with SSL. For more information for a cloud-managed Firebox, go to Configure Mobile VPN with SSL for a Cloud-Managed Firebox.
TLS interception or Deep Packet Inspection on an upstream firewall disrupts SSL VPN negotiation	In the upstream third-party firewall configuration, disable SSL content inspection (HTTPS decryption), TLS interception, or DPI for SSL VPN traffic. You can also add an explicit exemption for the traffic.
Misconfigured NAT, ACLs, or restrictive proxy filtering	In the upstream firewall configuration, review NAT rules, outbound ACLs, and proxy policies. Correct any configuration that might block or rewrite outbound VPN traffic.
QUIC traffic mishandled or blocked	If you cannot allow QUIC traffic, configure Mobile VPN with SSL to use a TCP‑only data channel or change the SSL VPN port on the Firebox. Because this configuration reduces performance, use TCP mode only when necessary. For more information for a locally-managed Firebox, go to Choose the Port and Protocol for Mobile VPN with SSL. For more information for a cloud-managed Firebox, go to Configure Mobile VPN with SSL for a Cloud-Managed Firebox.

Related Log Messages

• The Firebox shows no logs for this issue because VPN traffic does not reach it.
• Mobile VPN with SSL client logs might show handshake failures, timeouts, or transport‑layer errors.

Related Topics

About Mobile VPN with SSL

Troubleshoot Mobile VPN with SSL