Windows 7 VPN Blocked at Watchguard

jhaffner
jhaffner used Ask the Experts™
on
Environment: Watchguard Firebox x700 running firebox release "pandora" (Driver version 7.5.0 B2063)

Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)

Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."

Log snippet from VPN client:

5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries

End snippet

Firewall log shows my user's IP being blocked:

User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)

Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You may need to run in XP mode. At least that's how we run our VPNs.

Author

Commented:
Thanks, I've never heard of XP mode until now. (Obviously Windows is not my area of expertise).

Having said that, I'd like to avoid burdening the user's feeble laptop with a VM if I can avoid it.

I'll keep the option in my back pocket.
if you don't have the resources a VM is probably not a good idea
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

please provide the log before "temp. blocking client" we need to check why he blocks the clients

Author

Commented:
It is being blocked by the default rule as it is trying to contact the firewall on port 581498. The first line shown is the first indication in the log that there's a problem.
how is that even possible?
581498... there are only 65000 and something ports...

Author

Commented:
Sorry. My mistake on the port number. However, The lines shown are the first time the IP address shows up in the Watchguard log.
can you enable debug logging on vpn?
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please

Author

Commented:
Can do, but it may be a day or two, as the user is remote.
ok no prob

Author

Commented:
I did not see an option for debug logging.

Here is the log from the VPN from a connection attempt this morning:

5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
i'm sorry but i need the debug logs from the firewall, not the client connecting...
you need to set the debug on the wg, not the client

but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
Commented:
Finally have a resolution to this problem. The end user's home network was blocking ipsec connections. When tested at a coffee shop, the VPN connection came right up.

Problem solved. Thanks to all who contributed.

Author

Commented:
Problem was not with the Watchguard at all. End user's network was blocking ipsec packets.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial