PIx to Watchguard Firebox VPN

Unanswered Question

I have set up a VPN to a Watchguard Firebox. I thought it was a relatively easy build but now whenever the SA timeout occurs (8 hours), the VPN tunnel stays down. When I do a sh cry it appears to fail on the key exchange. Once, the remote site tech rebuilds the VPN on the Watchguard side, the tunnel comes up.

Now, of course, I'm not asking for help with a WG Firebox but I am wondering if anyone has had experience with a 515E VPN to a WG Firebox and experienced difficulties with the tunnel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Tue, 07/17/2007 - 10:05
User Badges:
  • Bronze, 100 points or more

First thing that you should verify is that the IKE and IPSec SA lifetimes are identically configured on both sides.

srue Tue, 07/17/2007 - 10:08
User Badges:
  • Blue, 1500 points or more

i would agree with that first step. However, I once read (and i can't remember where) that even if the lifetimes are different, during negotations of each phase, the lowest lifetime will be chosen.

can anyone confirm/deny this?


mattiaseriksson Tue, 07/17/2007 - 10:17
User Badges:
  • Bronze, 100 points or more

Yes, that is normally the case but sometimes when you mix equipment from different vendors, that is not always true.

I have personally not had that problem with watchguard, but with other firewalls.

mattiaseriksson Wed, 07/18/2007 - 05:03
User Badges:
  • Bronze, 100 points or more

Then I think you need to run debugging on both sides, especially from the side that is not initiating the connection.

I would also try to change some of the IKE parameters, too see if it makes any difference.

scudderconsulting Wed, 07/18/2007 - 08:05
User Badges:

What model watchguard box are you using? Are you using Manual IPSec on the WG?

scudderconsulting Wed, 07/18/2007 - 08:40
User Badges:

The watchguard logs each step of the tunnel build. Have the remote admin send you that portion of the log or a screen capture of the negotiation process from the management software. It should help you to pinpoint the problem.

bberry Mon, 08/20/2007 - 09:33
User Badges:

Just came acorss this conversation as I am having an issue getting the Cisco client to VPN through a Watchbox. Where did you enter the isakmp address?


This Discussion