Issue
If you configure Mobile VPN with SSL to use UDP for the Data channel, and most of your Mobile VPN with SSL clients have the Automatically reconnect option enabled, it is possible for all SSL VPN Users tunnels to be exhausted. When this occurs, the Firebox generates the log message below and client connections time out while they wait for a server response:
"..sslvpn Max number of simultaneous connections reached (XXX), please contact WatchGuard to purchase a license for more users Debug..."
This might occur because the default TLS handshake negotiation window allows clients to negotiate for up to 60 seconds.
Workaround/Solution
To resolve this issue:
Upgrade your Firebox to Fireware v12.7 or higher.After the Firebox upgrade, sure your mobile VPN users install the latest version of the WatchGuard Mobile VPN with SSL client for Windows or macOS.Make sure users connect to Mobile VPN with SSL, which will automatically download an updated profile from the Firebox.
In Fireware v12.6.3/v12.5.6 to v12.6.4 only, use the Command Line Interface to decrease the TLS handshake negotiation window. This command is not necessary in Fireware v12.7 or higher.WG#configWG(config)#policyWG(config/policy)sslvpn hand-window 10WG(config/policy)#You might need to adjust the value if your Firebox model is limited to a lower number of maximum SSL VPN users. For more information, see the Command Line Interface documentation.At this time, the CLI command does not force a configuration sync between members. You must run the CLI command on each member at least once.
