This course teaches how to install and configure Windows Server 2012 R2. It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).
Windows 7 VPN Blocked at Watchguard
Environment: Watchguard Firebox x700 running firebox release "pandora" (Driver version 7.5.0 B2063)
Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)
Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."
Log snippet from VPN client:
5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
End snippet
Firewall log shows my user's IP being blocked:
User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.
Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)
Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."
Log snippet from VPN client:
5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
End snippet
Firewall log shows my user's IP being blocked:
User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Thanks, I've never heard of XP mode until now. (Obviously Windows is not my area of expertise).
Having said that, I'd like to avoid burdening the user's feeble laptop with a VM if I can avoid it.
I'll keep the option in my back pocket.
Having said that, I'd like to avoid burdening the user's feeble laptop with a VM if I can avoid it.
I'll keep the option in my back pocket.
It is being blocked by the default rule as it is trying to contact the firewall on port 581498. The first line shown is the first indication in the log that there's a problem.
Sorry. My mistake on the port number. However, The lines shown are the first time the IP address shows up in the Watchguard log.
can you enable debug logging on vpn?
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please
I did not see an option for debug logging.
Here is the log from the VPN from a connection attempt this morning:
5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
Here is the log from the VPN from a connection attempt this morning:
5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
i'm sorry but i need the debug logs from the firewall, not the client connecting...
you need to set the debug on the wg, not the client
but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
you need to set the debug on the wg, not the client
but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
Premium Content
You need an Expert Office subscription to comment.Start Free Trial