Mobile VPN with SSL Client Cannot Write to the APPDATA Directory

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When a Windows environment uses Roaming User Profiles or redirects the %APPDATA%\Roaming directory to a network location, such as a file share, the Mobile VPN with SSL client cannot create or modify the configuration files it requires. Because the client must write to these files at startup and initialization of the VPN connection, any restriction on write access prevents successful tunnel creation. As a result, Mobile VPN with SSL connection attempts fail, often before authentication or negotiation begins.

Symptoms

When the Mobile VPN with SSL client cannot write to the Roaming directory, you might experience these symptoms:

• The C:\Users\<username>\AppData\Roaming\WatchGuard\Mobile VPN directory is missing or empty.
• The Mobile VPN with SSL client displays this log message:
  SSL VPN Error: connect() failed. ret = -1 errno=10061
• Users who do not use a roaming profile can connect without issue.

Diagnostic Steps

On the affected computer:

• Verify that the affected user uses a local user profile and does not use Roaming User Profiles or folder redirection for %APPDATA%\Roaming. For example: C:\Users\<username>\AppData\Roaming
  • To verify, open a Command Prompt and run: echo %APPDATA%
  • If the output starts with C:\Users\, this is a local user profile.
  • If the output starts with \\, this is a network location.

Possible Causes and Solutions

Possible Cause	Solution
Folder redirection or a Roaming User Profile policy prevents write access to: %APPDATA%\Roaming	Extract and use the OpenVPN SSL VPN client configuration from the support.tgz file and use those files to connect with the Mobile VPN with SSL client. For more information, go to Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File. For more information about roaming user profiles, go to Deploy Roaming User Profiles (external link).

Related Log Messages

When the Mobile VPN with SSL client cannot create the necessary configuration files, you might receive client log messages similar to:

• “Failed to create directory under %APPDATA%\Roaming.”
• “Cannot write configuration file: access denied.”
• “Profile path resolves to remote share; write failed.”

Related Topics

About Mobile VPN with SSL

Troubleshoot Mobile VPN with SSL