You can use WatchGuard VPN solutions to help your workforce continue their work remotely over a secured connection. This article answers frequently asked questions about mobile VPN licensing and connectivity. 

You can also use AuthPoint MFA to help secure your remote workforce. For frequently asked questions about AuthPoint, including links to integration guides to set up AuthPoint with Mobile VPN, see Use AuthPoint MFA to protect remote worker connections and credentials.

Get Started with Mobile VPN

How do I decide what type of Mobile VPN to use?
There are several different mobile VPN options you can choose from. If you have never set up a Mobile VPN with your Firebox, see Select a Mobile VPN type. 

How do I set up a Mobile VPN?
For a general overview of how to set up a mobile VPN, with a link to specific instructions for each VPN type, see Mobile VPN Setup Overview.

VPN Tunnel Capacity and Licenses

How many VPN connections does my device have? 
The maximum number of active connections depends on your Firebox model and your feature key. For more information, see VPN Tunnel Capacity and Licensing.

Are the VPN connection limits defined in the feature key?
Yes. To find your feature key and see the VPN limits, see VPN Tunnel Capacity and Licensing.

Can I request an increase to the VPN connection limits? 
Firebox licensing documentation specifies limits for each Firebox model. VPN connection limits for each Firebox model cannot be changed. 

Does the Value number listed in the feature key show the total number of VPN connections?
Yes, the number next to each VPN feature key is the maximum number of active VPN connections. Keep in mind that some VPN features share the maximum number of allowed connections:

• Branch Office VPN Tunnels — Maximum number of active branch office VPN tunnel routes and BOVPN virtual interfaces
• L2TP Users — Maximum number of active Mobile VPN with L2TP user connections
• IPSec VPN Users — Maximum number of active Mobile VPN with IPSec and Mobile VPN with IKEv2 user connections
• SSL VPN Users — Maximum number of active Mobile VPN with SSL, BOVPN over TLS, and Management Tunnel over SSL user connections

Can I monitor the number of mobile VPN connections? 
Yes, you can monitor your mobile VPN connections as follows:

• To see the number of active mobile VPN connections, in Firebox System Manager, select the Authentication List tab.
• In Firebox System Manager, on the Front Panel tab, you’ll see an error message if the total number of active VPN connections reaches the limit in your feature key.

How can I manage increased VPN traffic?
Virtual firewalls, such as FireboxV, can help to add capacity for VPN traffic and can scale to accommodate the connections your company needs.

WatchGuard now offers FireboxV licenses free for 120 days. WatchGuard partners can get these 120 day evaluations through a self-service process. On the partner portal, select Product > Virtual Appliance Evaluations. You will receive an email with a trial serial number for activation.

The VPN limits that appear in the appliance datasheet do not match the VPN limits that appear in the feature key. Why?
The license limits that appear in the feature key are correct. If you notice a discrepancy and have a question, please contact us.

What are some common issues for Mobile VPN with SSL?
To resolve common installation and connection issues, see Troubleshoot Mobile VPN with SSL.

Mobile VPN and Multi-Factor Authentication (MFA)

How can I configure AuthPoint multi-factor authentication for my mobile VPN users?
See these guides:

• Firebox Mobile VPN with IKEv2 Integration with AuthPoint
• Firebox Mobile VPN with SSL Integration with AuthPoint
• Firebox Mobile VPN with IPSec Integration with AuthPoint

FireCluster and VPN Licenses

How are feature keys defined for Active/Passive and Active/Active FireClusters?
See About Feature Keys and FireCluster.

How are options and licensing features determined in FireCluster?
To understand how Active/Passive and Active/Active differ, see Comparison of FireCluster Active/Active and Active/Passive.

NCP License Bundles and Management

Can NCP licensing for Mobile VPN with IPSec clients be centrally managed?
Yes, when you purchase volume licensing for the Mobile VPN with IPSec NCP client, you can centrally manage those licenses with the Mobile VPN License Server (MVLS) software from NCP. For more information about MVLS, see About Mobile VPN Volume Licenses.

Can NCP Licensing be bundled?
Yes. For more information, see WatchGuard Mobile VPN License Server (MVLS).

Troubleshoot Mobile VPN with SSL

How does UDP affect the quality of SSLVPN data channels?
To address performance issues that affect Mobile VPN with SSL connections, you can use UDP for the data channel instead of TCP. UDP packets are smaller than TCP packets and have less latency. However, UDP has no fault tolerance, which can result in intermittent connections or dropped packets. You can use TCP for the data channel, but this might impact performance.

To understand whether to use TCP or UDP for the Mobile VPN with SSL data channel, see Choose the Port and Protocol for Mobile VPN with SSL.

As an alternative to Mobile VPN with SSL, we recommend Mobile VPN with IKEv2.

How do I troubleshoot other Mobile VPN with SSL issues?
See Troubleshoot Mobile VPN with SSL.

Troubleshoot the Firebox

How do I troubleshoot other Firebox issues?
See Troubleshooting and search Technical Search.

Other Questions

How can I deploy a Firebox from a remote location?
We support several remote deployment scenarios with RapidDeploy functionality. For more information, see Deploy Your Firebox with RapidDeploy. 

How do I get help with other technical questions?
First, search Technical Search where you’ll find answers to most questions. For additional assistance, contact us.