To troubleshoot client authentication:

  1. Connect to the Firebox or XTM device.
  2. Review the configuration for Mobile VPN with SSL
  3. Record the configured Primary and Backup IP addresses.
    The address can also be a domain name. If it is a domain name, confirm which IP address the domain name resolves to.
  4. Record the configured Configuration channel TCP port.
  5. In your web browser, type https://<ip-address>, where <ip-address> is the Primary IP address in the Mobile VPN with SSL configuration. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon. For example, if the Configuration channel is TCP port 444, in the browser type https://<ip-address>:444.
    • If the WatchGuard Authentication Portal page for your Firebox or XTM device appears, continue to Step 6.
    • If a page other than the WatchGuard Authentication Portal page appears, review your Firebox or XTM device configuration to identify why the traffic was forwarded to this location. Consider a change to the configured IP address for the VPN.
  6. On the WatchGuard Authentication Portal page, log in with client credentials. 
    If more than one type of authentication is configured, or if your authentication server is not the default option, select the authentication server from the drop-down list.
    • If user authentication succeeds, continue to Step 7.
    • If user authentication fails, verify the user credentials on the Firebox or XTM device, or the external authentication server. For users on an external authentication server, verify whether other users who use that server are able to log in. There may be a problem with authentication in general.
  7. In your web browser, type https://<ip-address>/sslvpn.html. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon. 
    For example, if the Configuration channel is TCP port 444, type https://<ip-address>:444/sslvpn.html.
    The WatchGuard Authentication Portal appears.
  8. Log in with the client credentials you used in Step 5.

If the user authentication fails on the Mobile VPN with SSL-specific authentication page, but the same credentials worked on the WatchGuard Authentication Portal page, the issue is almost certainly group membership. Confirm that the user is part of the configured group for Mobile VPN with SSL. By default, this group is SSLVPN-Users.