Operational Defect Database
BugZero found this defect 1195 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000bqOzSAI
Mobile VPN with SSL connections fail - Max number of simultaneous connections reached
Last update date:
4/20/2021
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.5.x
12.6.x
Fixed releases:
All
Description:
Issue
If you configure Mobile VPN with SSL to use UDP for the Data channel, and most of your Mobile VPN with SSL clients have the Automatically reconnect option enabled, it is possible for all SSL VPN Users tunnels to be exhausted. When this occurs, the Firebox generates the log message below and client connections time out while they wait for a server response: "..sslvpn Max number of simultaneous connections reached (XXX), please contact WatchGuard to purchase a license for more users Debug..." This might occur because the default TLS handshake negotiation window allows clients to negotiate for up to 60 seconds.
Workaround/Solution
To resolve this issue: Upgrade your Firebox to Fireware v12.7 or higher.After the Firebox upgrade, sure your mobile VPN users install the latest version of the WatchGuard Mobile VPN with SSL client for Windows or macOS.Make sure users connect to Mobile VPN with SSL, which will automatically download an updated profile from the Firebox. In Fireware v12.6.3/v12.5.6 to v12.6.4 only, use the Command Line Interface to decrease the TLS handshake negotiation window. This command is not necessary in Fireware v12.7 or higher.WG#configWG(config)#policyWG(config/policy)sslvpn hand-window 10WG(config/policy)#You might need to adjust the value if your Firebox model is limited to a lower number of maximum SSL VPN users. For more information, see the Command Line Interface documentation.At this time, the CLI command does not force a configuration sync between members. You must run the CLI command on each member at least once.
