Link to home
Create AccountLog in
Avatar of jhaffner
jhaffnerFlag for United States of America

asked on

Windows 7 VPN Blocked at Watchguard

Environment: Watchguard Firebox x700 running firebox release "pandora" (Driver version 7.5.0 B2063)

Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)

Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."

Log snippet from VPN client:

5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries

End snippet

Firewall log shows my user's IP being blocked:

User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)

Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.

SOLUTION
Avatar of Randy Downs
Randy Downs
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of jhaffner

ASKER

Thanks, I've never heard of XP mode until now. (Obviously Windows is not my area of expertise).

Having said that, I'd like to avoid burdening the user's feeble laptop with a VM if I can avoid it.

I'll keep the option in my back pocket.
if you don't have the resources a VM is probably not a good idea
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
It is being blocked by the default rule as it is trying to contact the firewall on port 581498. The first line shown is the first indication in the log that there's a problem.
how is that even possible?
581498... there are only 65000 and something ports...
Sorry. My mistake on the port number. However, The lines shown are the first time the IP address shows up in the Watchguard log.
can you enable debug logging on vpn?
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please
Can do, but it may be a day or two, as the user is remote.
ok no prob
I did not see an option for debug logging.

Here is the log from the VPN from a connection attempt this morning:

5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
i'm sorry but i need the debug logs from the firewall, not the client connecting...
you need to set the debug on the wg, not the client

but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Problem was not with the Watchguard at all. End user's network was blocking ipsec packets.