Operational Defect Database
BugZero found this defect 1419 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000bosOSAQ
Mobile VPN IKEv2 users cannot connect because iked maintains stale user sessions
Last update date:
6/30/2020
Affected products:
AuthPoint
DNSWatch
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Affected releases:
All
Fireware
12.x
12.5.x
Fixed releases:
v12.6.2/v12.5.5
Description:
Issue
In some cases, the iked process maintains stale Mobile VPN IKEv2 RAS user sessions and prevents additional connections from those users. With diagnostic logging enabled, log messages such as this appear in the debug logs (where mobile-user is the user name of the user who cannot connect): May 29 10:41:28 2020 M400 local3.info iked[2281]: (x.x.x.x<->y.y.y.y)Delete IKEv2 Child SA under gateway WG IKEv2 MVPN, reason: Failed to create RAS user session for 'mobile-user' user. Error:RAS: user already logged in The user account does not appear in the Firebox authentication list.
Workaround/Solution
Restart the iked process. To restart the process, run this command from the Command Line Interface: diagnose vpn "/ike/restart" For more information, see Use the CLI to restart the IKE process . Note: When you restart the IKE process, all VPN connections are renegotiated.
