Avatar of jhaffner
jhaffner
Flag for United States of America asked on

Windows 7 VPN Blocked at Watchguard

Environment: Watchguard Firebox x700 running firebox release "pandora" (Driver version 7.5.0 B2063)

Client is running Windows 7 Home Premium with WatchGuard VPN client 10.10 (I think?)

Symptoms:
Client clicks the connect button on the VPN client. After a brief wait, client displays the message:
"Cannot connect to gateway (waiting for msg 2)."

Log snippet from VPN client:

5/16/2011 8:40:08 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/16/2011 8:40:08 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/16/2011 8:40:13 AMIPSec: Start building connection
5/16/2011 8:40:13 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/16/2011 8:40:13 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/16/2011 8:40:42 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/16/2011 8:40:42 AMIke: phase1:name(jsmith) - error - retry timeout - max retries

End snippet

Firewall log shows my user's IP being blocked:

User's IP is yy.yy.yy.yy. Firewall IP is xx.xx.xx.xx
05/16/11 10:11:18 kernel Temporarily blocking host yy.yy.yy.yy 581498
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53916 (default)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53917 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53918 (blocked site)
05/16/11 10:11:18 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38473 53915 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54001 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54000 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 52 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 54002 (blocked site)
05/16/11 10:11:40 firewalld[132] deny in eth0 60 udp 20 115 yy.yy.yy.yy xx.xx.xx.xx 38474 53999 (blocked site)

Glad to provide setup specs for VPN and/or firewall rules. First time I've run into this problem, but also the first time I've tried to set up with a windows 7 client.

Software FirewallsHardware Firewalls

Avatar of undefined
Last Comment
jhaffner

8/22/2022 - Mon
SOLUTION
Randy Downs

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
jhaffner

ASKER
Thanks, I've never heard of XP mode until now. (Obviously Windows is not my area of expertise).

Having said that, I'd like to avoid burdening the user's feeble laptop with a VM if I can avoid it.

I'll keep the option in my back pocket.
Randy Downs

if you don't have the resources a VM is probably not a good idea
SOLUTION
setasoujiro

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
jhaffner

ASKER
It is being blocked by the default rule as it is trying to contact the firewall on port 581498. The first line shown is the first indication in the log that there's a problem.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
setasoujiro

how is that even possible?
581498... there are only 65000 and something ports...
jhaffner

ASKER
Sorry. My mistake on the port number. However, The lines shown are the first time the IP address shows up in the Watchguard log.
setasoujiro

can you enable debug logging on vpn?
in system manager -->setup-->logging choose vpn and set it to debug.
then when you try and connect view the debug logs and paste here please
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
jhaffner

ASKER
Can do, but it may be a day or two, as the user is remote.
setasoujiro

ok no prob
jhaffner

ASKER
I did not see an option for debug logging.

Here is the log from the VPN from a connection attempt this morning:

5/31/2011 8:48:31 AMSystem: LinkStatus Change - 1,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMSystem: Ip Address Change - 205,Atheros AR5007 802.11b/g WiFi Adapter
5/31/2011 8:48:31 AMFirewall: adapter Atheros AR5007 802.11b/g WiFi Adapter is outside the friendly net
5/31/2011 8:48:31 AMWLAN adapter <Atheros AR5007 802.11b/g WiFi Adapter> is connected with SSID <Joe Connection>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=202,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=201,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=204,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=203,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Remove Adapter - index=204,name=<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=202,name<NDISWAN>
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=203,name<NDISWAN>
5/31/2011 8:48:31 AMWpaOl: WPA <Atheros AR5007 802.11b/g WiFi Adapter> authentication failure ! - WPAPOL - admin close
5/31/2011 8:48:31 AMSystem: Found adapter - name=<NDISWAN> with MTU 1400 bytes
5/31/2011 8:48:31 AMFirewall: FW configures adapter NDISWAN
5/31/2011 8:48:31 AMSystem: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
5/31/2011 8:48:31 AMSystem: add adapter - index=205,name<NDISWAN>
5/31/2011 8:48:31 AMMONITOR: Installed - WatchGuard Mobile VPN 1010 Build 59 (910)
5/31/2011 8:48:31 AMMONITOR: Licensed - WatchGuard Mobile VPN 1010
5/31/2011 8:51:05 AMIPSec: Start building connection
5/31/2011 8:51:05 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:51:05 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:51:34 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:51:34 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:51:34 AMIPSec: Disconnected from jsmith on channel 1.
5/31/2011 8:52:02 AMSystem: Disconnect cause - Manual Disconnect.
5/31/2011 8:52:52 AMIPSec: Start building connection
5/31/2011 8:52:52 AMIke: Outgoing connect request AGGRESSIVE mode - gateway=xx.xx.xx.xx : jsmith
5/31/2011 8:52:52 AMIke: XMIT_MSG1_AGGRESSIVE - jsmith
5/31/2011 8:53:22 AMERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - jsmith.
5/31/2011 8:53:22 AMIke: phase1:name(jsmith) - error - retry timeout - max retries
5/31/2011 8:53:22 AMIPSec: Disconnected from jsmith on channel 1.
Your help has saved me hundreds of hours of internet surfing.
fblack61
setasoujiro

i'm sorry but i need the debug logs from the firewall, not the client connecting...
you need to set the debug on the wg, not the client

but just one question is the ipsec policy on the wg set to agressive mode and not mail?
in case you didn't adjust this manually it is in main mode by deault
ASKER CERTIFIED SOLUTION
jhaffner

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
jhaffner

ASKER
Problem was not with the Watchguard at all. End user's network was blocking ipsec packets.