Watchguard SSL 1000 User Manual page 156

Vpn gateway

Hide thumbs Also See for SSL 1000:

Setup manual (6 pages)

Hardware manual (31 pages)

Quick reference manual (2 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

Table of Contents

Troubleshooting

Internal Failover

If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the

Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and

then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range

starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about

configuring IP pools, see "Enabling IP Pooling" on page 94.

Certificate Signing

There are several server components that support SSL/TLS, such as the Firebox SSL VPN Gateway,

Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a

public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations

such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Ser-

vices.

Certificates signed by a private CA are sometimes described as enterprise certificates or self-signed certifi-

cates. In this context, the term self-signed certificate is not technically accurate; such certificates are

signed by the private CA. True self-signed certificates are not signed by any CA and are not supported

by the server components, because there is no CA to provide a root of trust. However, as described

above, certificates issued by a private CA are supported by the server components because the private

CA is the root of trust.

Certificate Revocation Lists

Certificate Revocation Lists (CRLs) cannot be configured by the administrator. When a user connects to

the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistri-

butionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The cli-

ent certificate is checked against those CRLs.

Retrieving CRLs using LDAP is not supported.

Network Messages to Non-Existent IPs

If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, this might cause the Firebox SSL

VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as

network spamming.

To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway.

The Firebox SSL VPN Gateway Does not Start and the Serial Console Is Blank

Verify that the following are correctly set up:

• The serial console is using the correct port and the physical and logical ports match

• The cable is a null-modem cable

• The COM settings in your serial communication software are set to 9600 bits per second, 8 data

bits, no parity, and 1 stop bit

The Administration Tool Is Inaccessible

If the Firebox SSL VPN Gateway is offline, the Administration Tool is not available. You can use the

Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL

VPN Gateway.

146

Firebox SSL VPN Gateway

Table of Contents

Troubleshooting

This manual is also suitable for:

Ssl 500 Firebox ssl series

Watchguard SSL 1000 User Manual page 156

Troubleshooting

Related Manuals for Watchguard SSL 1000

Related Products for Watchguard SSL 1000

This manual is also suitable for:

Table of Contents