This page helps you solve some common issues concerning the Barracuda Network Access and VPN Client.
Issue: Connection errors shown in the Barracuda Health Agent
The Access Control Server cannot be reached at the IP addresses configured for health evaluation. A Connection Error message is shown in the Health Agent.
Configure a valid Access Control Server IP address locally. If the Access Control Server IP addresses are distributed by DHCP, use the operating system's built-in
ipconfig tool to obtain a new IP address for the client computer that will include an Access Control Server IP address to connect to.
In order to verify whether an Access Control Server IP address was received through DHCP, look up the Barracuda Health Agent Access Control Server IPs dialog.
Issue: E_PENDING 0x8000000A The data necessary to complete the operation is not yet available.
Initialization of the Personal Firewall service takes very long ,and thus the system's health state cannot be validated
Debug Log output:
WMIXP2SecureCenter2.cpp(863)* Register FW Status Provider
WMIXP2SecureCenter2.cpp(112)* QueryInterface for Register failed Error: 0x8000000a
WMIXP2SecureCenter2.cpp(870)* RegisterFWStatusProvider failed. wait 1000 ms...(0)
The Personal Firewall's API registration takes too long because the required MS Windows Security Center service (WSCSVC) is not yet started. By default, MS Windows starts the WSCSVC service with startup type: Automatic (delayed Start)
Set the Startup type value of WSCSVC to Automatic.
Issue: Connection to the VPN server breaks immediately after establishing
An access ruleset may have been damaged during transfer from the VPN server to the client. Disconnect all applications and connect again to solve the issue. This behavior may also occur with slow connections. Increase the Connect Timeout parameter in the VPN Profile settings Connect/Reconnect tab if you encounter any problems.
Issue: Connection breaks if IP address assignment via DHCP is used
A connection problem occurs when the firewall slot is closed too early. Create a local firewall ruleset to solve the issue: Action: Pass, Service: BOOTPS (out: UDP 67; in: UDP 68).
Issue: VPN Gateway not reachable via VPN tunnel is logged into the Events window
Open the VPN Settings tab and change the value for Virtual Adapter Address Assignment (IPv4).
Issue: Session PHS: signature check failed (bad decrypt) is logged into the Events window
Deactivate Private Encrypt (see Connection Entries > X.509 Authentication above).
Issue: A VPN connection cannot be not established due to a Firewall Status mismatch error
The VPN Service on the CloudGen Firewall drops incoming connection requests by a Barracuda Network Access Client and generates the following error message in the VPN log:
Warning Session PGRP-AUTH-user01:
reply unsuccesful handshake:
100 36 Firewall Status mismatch
Older Barracuda Network Access Client versions cannot interpret the VPN Service's Firewall Always ON Option, which therefore effectively prevents connection establishment for these clients.
To allow these older clients to connect to the VPN service, navigate in Barracuda Firewall Admin to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN > Client to Site > External CA > Group Policy and clear the Firewall Always ON check box.
Issue: The VPN Client cannot open a connection due to a timeout
The Barracuda Network Access Client breaks the VPN connection and generates the following error message in the client log:
Could not connect to serverConnectLib,
Open() failed: could not open DIRECT connection,
IOStreamSock: Connect(x.x.x.x:691): TIMEOUT
Error while connect to x.x.x.x:691 (proto=TCP)
This message appears only if the server's IP address is reachable, but at the same time no listen port (UDP/TCP 691) is available.
The VPN Service listens by default on the first and the second server IP address. For additional server IP addresses, it is necessary to bind the service manually to these additional IP addresses. In the CloudGen Firewall, navigate to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Access Control Service > Service Properties > Service Availability in order to achieve this.