Mobile VPN with SSL Traffic Matches the Wrong Policy

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When you configure Mobile VPN with SSL, the Firebox automatically creates the WatchGuard SSLVPN policy. This policy allows Mobile VPN with SSL connections to the Firebox. If you have policies with broad inbound rules with a higher precedence or priority than the WatchGuard SSLVPN policy, those policies can capture the VPN traffic and deny or mishandle the packets.

Symptoms

When the wrong policy captures Mobile VPN with SSL traffic, you might notice these symptoms:

• Users cannot connect to the VPN.
• Deny and Allow log messages appear from another policy for the SSL VPN listener port (TCP 443 unless configured otherwise).
• No log messages appear for the WatchGuard SSLVPN policy at the time of connection attempts.

Diagnostic Steps

1. Verify the position of the WatchGuard SSLVPN policy in the policy list.
2. Identify any policies before the SSLVPN policy that have broad inbound rules (for example, HTTPS, Any, or TCP-UDP) that include the SSL VPN listener port (TCP 443 unless configured otherwise).
3. Enable logging on the inbound policies you identified.
4. Attempt to connect to the VPN and review the log messages to identify the policy that logs the packets.

Possible Causes and Solutions

Common causes and solutions include:

Possible Cause	Solution
In Manual Policy Order mode, a policy with broad inbound rules is above the WatchGuard SSLVPN policy in the list.	Reorder the policies so that the Mobile VPN with SSL traffic matches the WatchGuard SSLVPN policy first. For more information, go to: Locally-Managed: About Policy Precedence Cloud-Managed: Firewall Policy Priority on Cloud-Managed Fireboxes
In Automatic Policy Order mode, a more-specific inbound policy is evaluated before the WatchGuard SSLVPN policy and matches the SSL VPN listener port.	In Automatic Policy Order mode, the Firebox evaluates traffic against more specific policies before more general policies, so you must reconfigure the WatchGuard SSLVPN policy to be more specific. Option 1: To make the WatchGuard SSLVPN policy more specific than other policies for the same port, in the To or Source list, enter the IP addresses configured as the primary and backup addresses in the Mobile VPN with SSL configuration. For more information, go to: Locally-Managed: Set Access Rules for a Policy Cloud-Managed: Configure the Source and Destination in a Firewall Policy Option 2: Another option is to change the listener port in the Mobile VPN with SSL configuration. The WatchGuard SSLVPN policy automatically updates to use the new port. For more information, go to: Locally-Managed: Manually Configure the Firebox for Mobile VPN with SSL Cloud-Managed: Configure Mobile VPN with SSL for a Cloud-Managed Firebox If you use a port other than TCP 443, users must manually type this port in the Mobile VPN with SSL connection dialog box, for example, 203.0.113.2:444.

Related Topics

About Mobile VPN with SSL Policies

Troubleshoot Mobile VPN with SSL

About Mobile VPN with SSL