The Endpoint Connect client disconnects because the client does not receive a reply from VPN Gateway to client's Tunnel Test packets.
Most probable causes:
The Tunnel Tests packets were not processed correctly on the VPN Gateway (VPND daemon listens to Tunnel Test packets only on specific interface - the first interface in the output of '
fw ctl iflist' command. Therefore, if Tunnel Test packet was received on another interface, it will not be answered).
Office Mode IP Pool is part of the VPN Encryption Domain (Office Mode assigns an IP address from one of the 'internal' networks behind VPN Gateway) - in such case:
Client's Tunnel Test packets might be dropped by VPN Gateway after decryption due to Anti-Spoofing.
When a client connects, it begins sending Tunnel Tests packets. After decryption, when the Office Mode IP address is visible, the Security Gateway performs an Anti-Spoofing check. Since the Office Mode IP address is an internal address and the packets are received on an external interface, the Tunnel Test packets are dropped. After 20 seconds of no Tunnel Test reply from the Security Gateway, there is a timeout, and the client disconnects.
- VPN Gateway's reply packet might be routed through one of the internal interfaces.
Office Mode IP Pool is part of the VPN Encryption Domain (Office Mode assigns an IP address from one of the 'internal' networks behind VPN Gateway) and '
Location Aware Connectivity' settings are configured for Endpoint Connect client - in such case, Endpoint Connect client might consider itself located on the internal network, and disconnect.
Maximum concurrent tunnels" and/or "
Maximum concurrent IKE negotiations" is(are) too low.
Other reasons related to Anti-Spoofing, Routing, rulebase, etc.