Watchguard Firewall SSLVPN


After running into some initial connection errors (which were resolved via Watchguard Firewall - Issues with SSLVPN), I'm able to accept the SSL certificate provided by the firewall and get further into the connection process / attempt.

However, I'm still unable to complete the connection, and I'm currently seeing the following in the client log

2013-06-28T09:12:06.375 OVPN:>LOG:1372425126,,438 variation(s) on previous 20 message(s) suppressed by --mute

2013-06-28T09:12:06.377 OVPN:>LOG:1372425126,I,SIGTERM received, sending exit notification to peer

2013-06-28T09:12:06.379 OVPN:>LOG:1372425126,D,TIMER: coarse timer wakeup 1 seconds

2013-06-28T09:12:06.382 OVPN:>LOG:1372425126,D,TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=3492fe15 883900f2, stored-sid=00000000 00000000, stored-ip=

2013-06-28T09:12:06.385 OVPN:>LOG:1372425126,D,TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800

2013-06-28T09:12:06.388 OVPN:>LOG:1372425126,D,ACK reliable_can_send active=1 current=0 : [1] 0

2013-06-28T09:12:06.390 OVPN:>LOG:1372425126,D,ACK reliable_send_timeout 1 [1] 0

2013-06-28T09:12:06.392 OVPN:>LOG:1372425126,D,TLS: tls_process: timeout set to 1

2013-06-28T09:12:06.394 OVPN:>LOG:1372425126,D,TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=bc742126 a86ff11a, stored-sid=00000000 00000000, stored-ip=[undef]

2013-06-28T09:12:06.397 OVPN:>LOG:1372425126,D,TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]

2013-06-28T09:12:06.399 OVPN:>LOG:1372425126,D,SENT OCC_EXIT

2013-06-28T09:12:06.402 OVPN:>LOG:1372425126,D,TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]

2013-06-28T09:12:06.404 OVPN:>LOG:1372425126,D,RANDOM USEC=230951

2013-06-28T09:12:06.407 OVPN:>LOG:1372425126,D,WE_CTL n=0 ev=0x004ccf2c rwflags=0x0001 arg=0x004775e4

2013-06-28T09:12:06.409 OVPN:>LOG:1372425126,D,WE_CTL n=1 ev=0x004c6f74 rwflags=0x0003 arg=0x004775f0

2013-06-28T09:12:06.411 OVPN:>LOG:1372425126,D,I/O WAIT T?|T?|SRQ|Sw1 [1/230951]

2013-06-28T09:12:06.414 OVPN:>LOG:1372425126,D,WE_WAIT enter n=3 to=1231

2013-06-28T09:12:06.416 OVPN:>LOG:1372425126,D,[0] ev=0x00000134 rwflags=0x0001 arg=0x004775e4

2013-06-28T09:12:06.419 OVPN:>LOG:1372425126,D,[1] ev=0x000000a0 rwflags=0x0002 arg=0x004775f0

2013-06-28T09:12:06.421 OVPN:>LOG:1372425126,D,[2] ev=0x0000011c rwflags=0x0001 arg=0x004775f0

2013-06-28T09:12:06.424 OVPN:>LOG:1372425126,D,WE_WAIT leave [1,0] rwflags=0x0002 arg=0x004775f0

2013-06-28T09:12:06.426 OVPN:>LOG:1372425126,D, event_wait returned 1

2013-06-28T09:12:06.428 OVPN:>LOG:1372425126,,NOTE: --mute triggered...

This was suggested in a comment in the earlier question (before I decided to break this out into a separate question):

The updated log looks like it's an issue with the ISATAP on the client. In the Watchguard System Manager if you open up your policy manager -> VPN menu -> Mobile VPN -> SSL verify the primary and/or backup firebox IP addresses and the virtual IP address pool the clients use

I've actually been using the Web GUI to configure the Firewall / setup the VPN (not the Watchguard System Manager, although I'm slowly becoming vaguely familiar with it).

I did check the Web GUI, and can confirm the IP address (for the primary Watchguard connection) is correct, as well as the virtual IP address pool (which is set to

I have noticed that I'm unable to download the VPN client via the public IP address:4100/sslvpn.html (which I'm supposedly supposed to be able to do from the outside). That said, I pulled down the client & client config manually a couple days ago using these instructions:

Using those same instructions today, I updated the client config (just in case there were settings that have been changed) - so going through the System Manager, I pulled down the support files, uncompressed them, grabbed the sslvpn-client.wgssl file, and ran it on the client computer from an outside IP address trying to connect to the VPN.

I continue to get the error messages above.

Any additional thoughts on this?

asked on Server Fault Jun 28, 2013 by David W • edited Apr 13, 2017 by Community

1 Answer


I realized that this question was still open, although I resolved it (with the original hardware vendor's help) a long time ago.

The issue was that I was trying to connect to firewall (VPN) from outside the network on port 443 (SSL), which was already reserved on the firewall for something else (web traffic at one point was coming through for email purposes - later on down the road, I'll look into closing that down completely).

When we configured the firewall (and the VPN client) to communicate on port 444, it worked just fine.

answered on Server Fault Jan 31, 2014 by David W

User contributions licensed under CC BY-SA 3.0