WatchGuard Support Center

Knowledge Base - Article

 Mobile VPN IKEv2 users cannot connect because iked maintains stale user sessions

Products: All
Operating System: 12.5.x
Issue Status: Resolved
Tracking ID: FBX-19890
Status: Resolved
Resolved In: Fireware v12.6.2/v12.5.5

In some cases, the iked process maintains stale Mobile VPN IKEv2 RAS user sessions and prevents additional connections from those users.

With diagnostic logging enabled, log messages such as this appear in the debug logs (where mobile-user is the user name of the user who cannot connect):

May 29 10:41:28 2020 M400 iked[2281]: (x.x.x.x<->y.y.y.y)Delete IKEv2 Child SA under gateway WG IKEv2 MVPN, reason: Failed to create RAS user session for 'mobile-user' user. Error:RAS: user already logged in

The user account does not appear in the Firebox authentication list.

Restart the iked process. To restart the process, run this command from the Command Line Interface:

diagnose vpn "/ike/restart"

For more information, see Use the CLI to restart the IKE process .

Note: When you restart the IKE process, all VPN connections are renegotiated.