Missing, Disabled, or Misconfigured WatchGuard SSLVPN Policy

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When you configure Mobile VPN with SSL, the Firebox automatically creates the WatchGuard SSLVPN policy. This policy allows Mobile VPN with SSL connections to the Firebox. If you disable, delete, or misconfigure the WatchGuard SSLVPN policy, Mobile VPN with SSL traffic from external networks cannot reach the Firebox.

On a cloud-managed Firebox, you cannot delete or edit the WatchGuard SSLVPN system policy.

Symptoms

When the WatchGuard SSLVPN policy is missing, disabled, or misconfigured, you might notice these symptoms:

• Users cannot connect to the VPN.
• No Allow log messages appear for the WatchGuard SSLVPN policy.
• Deny log messages appear for unhandled external packets. For example:

2022-09-29 09:41:30 Deny 192.0.2.99 203.0.113.250 9007/tcp 31069 9007 External1 Firebox Denied 52 51 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 2192251295 win 65535"

Diagnostic Steps

1. Verify that the WatchGuard SSLVPN policy exists and is enabled.

   To view the WatchGuard SSLVPN policy on a cloud-managed Firebox, make sure you enable Show System Policies.

2. (Locally-managed Fireboxes only) Open the policy and verify that the From and To lists are configured correctly. For example, the From list might include the Any-External alias and the To list might include the Firebox alias.

Possible Causes and Solutions

Common causes and solutions include:

Possible Cause	Solution
The WatchGuard SSLVPN policy is disabled.	Enable the WatchGuard SSLVPN policy. For locally-managed Fireboxes, in Fireware Web UI or Policy Manager, open the policy and select the Enable check box next to the policy name. For more information about policy configuration, go to Add Policies to Your Configuration. For cloud-managed Fireboxes, on the Policies page, enable Show System Policies. Then enable the WatchGuard SSLVPN policy. Alternatively, you can copy the WatchGuard SSLVPN policy and modify it to meet your requirements. For example, you can remove the Firebox alias from the Destination list and add the Primary and Backup IP addresses or FQDNs configured for Mobile VPN with SSL. For more information, go to Configure Firewall Policies in WatchGuard Cloud.
(Locally-managed Fireboxes only) The WatchGuard SSLVPN policy is deleted.	Create the WatchGuard SSLVPN policy again. To create the policy, open the Mobile VPN with SSL configuration and click Save (Fireware Web UI) or OK (Policy Manager). The Firebox automatically creates the WatchGuard SSLVPN policy. For more information, go to Manually Configure the Firebox for Mobile VPN with SSL.
(Locally-managed Fireboxes only) The WatchGuard SSLVPN policy is misconfigured.	Reconfigure the WatchGuard SSLVPN policy. In the From list, add the Any-External alias or add other appropriate sources. In the To list, add the Firebox alias or add the Primary and Backup IP addresses or FQDNs configured for Mobile VPN with SSL. For more information, go to Set Access Rules for a Policy.

Related Topics

About Mobile VPN with SSL Policies

Troubleshoot Mobile VPN with SSL

About Mobile VPN with SSL