Need help with odd VPN behavior

I’m not as familiar with Watchguard products as I am with others, but we inherited a client using it. I found out yesterday that a user needs VPN for emergency travel, and they’re leaving Monday.

The people who ran this site before us were… not skilled. Looks like they just followed guides with no real clue what they were doing. Some stuff is configured like they were following a script in a Microsoft book from 2005. The VPN configuration never worked and was a complete shambles. They had two completely different services partially configured and fighting for ports. We got it up and running, and can connect from any system NOT joined to the domain.

However, I can’t get the laptop we are setting up would not connect.

Thinking it was a Windows issue (looked like a Windows 7 machine that was given an in-place upgrade to 1803) I reinstalled Windows from scratch, VPN worked perfectly. I was even able to domain join the machine over VPN with no problems using the local user account I created when installing windows. I logged in as the user (with VPN connected on the local profile) and started getting their profile configured. Rebooted the machine, logged in as the user, and now the VPN doesn’t connect anymore. I think it says “Failed to create exit event” but it flashes by so fast I can’t see it.

The log says for each failed attempt:

Requesting client configuration for <ip.address:port>

VERSION file is 5.32, client version is 5.32

Failed to launched OpenVPN. retCP=0

What I can find in Google searching relates to NOBODY being able to connect, but this only seems to affect machines after they’ve been domain-joined.

I checked gpresult, but there’s nothing there except folder redirection and network drive mapping. I also suspected something that is being synced to the AppData/Roaming directory (I know… I know), but there’s only Adobe and Microsoft folders there. I’m a little suspicious it’s something in the crypto or SystemCertificates folder, but I’m not sure if WatchGuard uses any of the keys in there.

*Edit*

It’s 1 AM, and I’m exhausted, so I’m sorry if anything doesn’t make sense.

Update:

I went in and removed the Appdata\Roaming folder redirection and now it is working like a charm. Without digging too deep, I’m guessing that the certificates being synchronized through that folder were causing authentication failures with Watchguard because they were for a different Windows system.

I also just realized that the AppData\Roaming\Watchguard folder was not being created before. Probably because the sync was making his office desktop the master and syncing the files down to the laptop, so when Watchguard created the files they were being purged.

What version is the watchguard running on? What type of vpn are you using,ssl, ikev, ipsec? What encryption method is setup with the VPN.

You have a Group Policy on your domain blocking something. That’s why you’re able to connect with non-domain joined machines, but after domain join Group Policy gets enforced and is causing something to be blocked.

Go to Domain Controller, open Group Policy Management, start seeing if you can find the offending GP.

We’re running 12.2 with an SSL VPN.

I figured it out. It wasn’t blocking as much as it was grabbing AppData\Roaming from the server and would not allow the system to create the WatchGuard folder in this directory, so it couldn’t cache the certificates. I also suspect that the certificates in the Roaming\Micosoft directory were causing issues since they belonged to his desktop at the office.

That’s my thought. Just not sure where to start for this platform. Found a few dumb things.

Last time i saw this i believe it was an issue with the tap driver. I had to uninstall all of them and reinstall the vpn with the tap driver. Try downloading the WatchGuard VPN client from https://firesipaddres/sslvpn.htm .