Firebox Security Services or Default Packet Handling Denies Mobile VPN with SSL Traffic

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When a user tries to connect to Mobile VPN with SSL, the Firebox evaluates the incoming traffic against security services, default packet handling settings, and firewall policies. If the Firebox denies the traffic before it is allowed by the WatchGuard SSLVPN policy, the connection attempt fails even though the traffic reaches the Firebox.

Symptoms

When the Firebox denies Mobile VPN with SSL traffic based on security services or default packet handling settings, you might notice these symptoms:

• VPN connection attempts fail immediately.
• Other users might or might not be affected, based on region, traffic rate, or policy settings.
• Firebox log messages show Deny entries for the public IP address of the client device.
• Firebox log messages show one or more of the following Deny reasons:
  • geolocation
  • blocked sites
  • ddos client
  • ddos server
• Deny log messages appear for unhandled packets. For example: 2022-09-29 09:41:30 Deny 192.0.2.99 203.0.113.250 9007/tcp 31069 9007 External1 Firebox Denied 52 51 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 2192251295 win 65535"
• No log messages appear for the WatchGuard SSLVPN policy at the time of connection attempts.
• Deny log messages appear for a policy other than the WatchGuard SSLPVPN policy at the time of connection attempts.

Diagnostic Steps

1. Reproduce the issue and filter the Firebox log messages by the public IP address of the client device.
2. Review the Deny log messages and examine the Deny reasons.
   • If the Deny reason is geolocation, identify the blocked region or IP address.
   • If the Deny reason is blocked sites , review the Blocked Sites list and identify the block reason.
   • If the Deny reason is ddos client or ddos server, review the Distributed Denial-of-Service (DDoS) thresholds in the Firebox default packet handling settings.
   • If the Deny reason is Unhandled, determine if another policy captured the traffic.
3. Review the WatchGuard SSLVPN policy configuration. Verify that:
   1. The policy is enabled.
   2. The policy is in an appropriate position in the policy list.
   3. The policy allows traffic from public IP address of the client device.
   4. The policy allows traffic to the primary and backup IP addresses or domains configured for Mobile VPN with SSL.
4. In the Firebox default packet handling settings, review the DDoS Per Client Quota and Per Server Quota thresholds and determine whether the Mobile VPN with SSL traffic could exceed the configured thresholds.
5. Determine whether affected users share a common:
   • Geographic region
   • ISP or carrier
   • Connection pattern or frequency

Possible Causes and Solutions

 

Possible Cause	Solution
Geolocation settings block the source country or region of the user.	Add an exception for the public IP address of the client device or unblock the required region. For more information, go to: Configure Exceptions Locally-Managed: Configure Geolocation Exceptions Cloud-Managed: Add Exceptions on a Cloud-Managed Firebox Configure Geolocation Locally-Managed: Configure Geolocation Cloud-Managed: Add Geolocation Actions in WatchGuard Cloud
The public IP address of the client is on the Blocked Sites list.	Review the Blocked Sites list and identify the block reason. For connection issues, the reason is usually a default packet handling setting, the Block Failed Logins feature, or the Intrusion Prevention Service (IPS). You can add an exception for the public IP address of the client or modify the settings that added the IP address to the blocked site. For more information, go to: Configure Exceptions Locally-Managed: Create Blocked Sites Exceptions Cloud-Managed: Add Exceptions on a Cloud-Managed Firebox Configure Default Packet Handling Settings Locally-Managed: About Default Packet Handling Options Cloud-Managed: Configure Default Packet Handling on a Cloud-Managed Firebox Configure Block Failed Logins Feature Locally-Managed: Set Global Firewall Authentication Values Cloud-Managed: Configure Block Failed Login Attempts
DDoS thresholds in the default packet handling settings cause the Firebox to deny Mobile VPN with SSL traffic.	In the default packet handling settings, set the Per Server Quota and Per Client Quota thresholds to the default value of 100. If the thresholds are already configured with the default value, increase the value in increments of 100 until the Firebox allows Mobile VPN with SSL connections. If necessary, you can temporarily disable the DDoS settings while you test and then re-enable them with tuned values. For more information, go to:  Locally-Managed: About Distributed Denial-of-Service Attacks Cloud-Managed: Configure Default Packet Handling on a Cloud-Managed Firebox
The WatchGuard SSLVPN policy does not capture Mobile VPN with SSL traffic.	Make sure the WatchGuard SSLVPN policy is enabled and configured correctly. For more information, go to Missing, Disabled, or Misconfigured WatchGuard SSLVPN Policy. Make sure that the WatchGuard SSLVPN policy is evaluated before more broad inbound policies. For more information, go to Mobile VPN with SSL Traffic Matches the Wrong Policy.

Related Topics

About Mobile VPN with SSL Policies

Troubleshoot Mobile VPN with SSL

About Mobile VPN with SSL