jhaffner
asked on
Windows 7 VPN Blocked at Watchguard
Environment: Watchguard Firebox x700 running firebox release "pandora" (Driver version 7.5.0 B2063)
Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)
Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."
Log snippet from VPN client:
5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
End snippet
Firewall log shows my user's IP being blocked:
User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.
Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)
Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."
Log snippet from VPN client:
5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
End snippet
Firewall log shows my user's IP being blocked:
User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
if you don't have the resources a VM is probably not a good idea
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
It is being blocked by the default rule as it is trying to contact the firewall on port 581498. The first line shown is the first indication in the log that there's a problem.
how is that even possible?
581498... there are only 65000 and something ports...
581498... there are only 65000 and something ports...
ASKER
Sorry. My mistake on the port number. However, The lines shown are the first time the IP address shows up in the Watchguard log.
can you enable debug logging on vpn?
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please
ASKER
Can do, but it may be a day or two, as the user is remote.
ok no prob
ASKER
I did not see an option for debug logging.
Here is the log from the VPN from a connection attempt this morning:
5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
Here is the log from the VPN from a connection attempt this morning:
5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
i'm sorry but i need the debug logs from the firewall, not the client connecting...
you need to set the debug on the wg, not the client
but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
you need to set the debug on the wg, not the client
but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Problem was not with the Watchguard at all. End user's network was blocking ipsec packets.
ASKER
Having said that, I'd like to avoid burdening the user's feeble laptop with a VM if I can avoid it.
I'll keep the option in my back pocket.