It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Login Sign Up Contact & Support

United States – English (GMT-5)

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

NextGen Firewall X

Server Backup (Yosemite)

Campus Help Center / Reference

Onboarding Portal

Network Security

Support Services

Barracuda NextGen Firewall X

Overview Documentation Materials

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

NextGen Firewall X

Server Backup (Yosemite)

Campus Help Center / Reference

Onboarding Portal

Network Security

Support Services

Login Sign Up Contact & Support

United States – English (GMT-5)

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

Troubleshooting Client-to-Site VPNs

Last updated on 2016-05-30 04:21:59

If your client-to-site VPN is not working as expected, try the solutions that are provided in this article for the following scenarios:

You Receive a Timeout Error on the Client

The client might not be able to reach the public listen IP address of the Barracuda NextGen Firewall X-Series. Try to ping the public listen IP address of the appliance from the client.
Go to the VPN > Client-to-Site VPN page and verify that the tunnel is configured correctly.

You Receive an Authentication Error on the Client

Go to the VPN > Client-to-Site VPN page and verify that the correct user authentication method is selected.

Go to the Users > External Services page and verify that the external authentication method is correctly configured.
Ensure that the correct username and password are being used to log in.
Verify that special characters are not being used in the password. If there are any special characters, change the password and then try to connect.

You are Able to Connect but Cannot Reach the Published Networks

On the client, see if traffic is being sent into the tunnel. You can either check the routing table of the client machine or use the tracert and traceroute command-line utilities.
Go to the VPN > Client-to-Site VPN page and verify that the VPN Access Policies are configured correctly.
Ensure that the firewall rule for the VPN is allowing the traffic into the networks.

Verify the VPNCLIENTS-2-LAN Rule Matches Client-to-Site VPN Traffic

Per default the VPNCLIENTS-2-LAN access rule allows traffic from the client-to-site VPN to all networks in the Trusted LAN network object. Verify that the rule matches by pinging a computer in the Trusted LAN from a connected VPN client. If the ping goes trough you are able to reach the internal network through the client-to-site VPN. If the ping does not work, go to BASIC > Active Connections:

Find the connection of your ping by matching protocol (ICMP), source and destination.
If the access rule listed in the firewall rule column for the connection is not VPNCLIENTS-2-LAN move the VPNCLIENTS-2-LAN rule above the rule which is currently handling the VPN traffic. For more information, see Firewall Rules Order.