Troubleshooting
146
Firebox SSL VPN Gateway
Internal Failover
If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the
Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and
then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range
starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about
configuring IP pools, see “Enabling IP Pooling” on page 94.
Certificate Signing
There are several server components that support SSL/TLS, such as the Firebox SSL VPN Gateway,
Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a
public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations
such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Ser-
vices.
Certificates signed by a private CA are sometimes described as
enterprise certificates
or
self-signed certifi-
cates
. In this context, the term self-signed certificate is not technically accurate; such certificates are
signed by the private CA. True self-signed certificates are not signed by any CA and are not supported
by the server components, because there is no CA to provide a root of trust. However, as described
above, certificates issued by a private CA are supported by the server components because the private
CA is the root of trust.
Certificate Revocation Lists
Certificate Revocation Lists (CRLs) cannot be configured by the administrator. When a user connects to
the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistri-
butionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The cli-
ent certificate is checked against those CRLs.
Retrieving CRLs using LDAP is not supported.
Network Messages to Non-Existent IPs
If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, this might cause the Firebox SSL
VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as
network spamming.
To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway.
The Firebox SSL VPN Gateway Does not Start and the Serial Console Is Blank
Verify that the following are correctly set up:
• The serial console is using the correct port and the physical and logical ports match
• The cable is a null-modem cable
• The COM settings in your serial communication software are set to 9600 bits per second, 8 data
bits, no parity, and 1 stop bit
The Administration Tool Is Inaccessible
If the Firebox SSL VPN Gateway is offline, the Administration Tool is not available. You can use the
Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL
VPN Gateway.
Summary of Contents for Firebox SSL Series
Page 1: ...WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway ...
Page 40: ...Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway ...
Page 118: ...Setting the Priority of Groups 108 Firebox SSL VPN Gateway ...
Page 146: ...Managing Client Connections 136 Firebox SSL VPN Gateway ...
Page 168: ...Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway ...
Page 190: ...180 Firebox SSL VPN Gateway ...
Page 198: ...188 Firebox SSL VPN Gateway ...