07-17-2007 09:52 AM - edited 03-11-2019 03:45 AM
I have set up a VPN to a Watchguard Firebox. I thought it was a relatively easy build but now whenever the SA timeout occurs (8 hours), the VPN tunnel stays down. When I do a sh cry it appears to fail on the key exchange. Once, the remote site tech rebuilds the VPN on the Watchguard side, the tunnel comes up.
Now, of course, I'm not asking for help with a WG Firebox but I am wondering if anyone has had experience with a 515E VPN to a WG Firebox and experienced difficulties with the tunnel.
07-17-2007 10:05 AM
First thing that you should verify is that the IKE and IPSec SA lifetimes are identically configured on both sides.
07-17-2007 10:08 AM
i would agree with that first step. However, I once read (and i can't remember where) that even if the lifetimes are different, during negotations of each phase, the lowest lifetime will be chosen.
can anyone confirm/deny this?
-thanks
07-17-2007 10:17 AM
Yes, that is normally the case but sometimes when you mix equipment from different vendors, that is not always true.
I have personally not had that problem with watchguard, but with other firewalls.
07-17-2007 12:11 PM
Well, we did have a Phase 1 mis-match on time-outs. The tunnel is up and I'll see tomorrow when the time-out expires whether I can bring the tunnel back up.
07-17-2007 10:08 AM
That's what we thought, too, and confirmed that they match. However, if they were wrong, wouldn't that prevent the tunnel from ever coming up?
07-18-2007 04:57 AM
I tried pinging the remote server this morning and got no reply.
sh cry isa sa shows the phase 1 is stuck at "mm key exchange" so, apparently, the timeout wasn't an issue (or, at least, the only issue).
07-18-2007 05:03 AM
Then I think you need to run debugging on both sides, especially from the side that is not initiating the connection.
I would also try to change some of the IKE parameters, too see if it makes any difference.
07-18-2007 08:05 AM
What model watchguard box are you using? Are you using Manual IPSec on the WG?
07-18-2007 08:14 AM
Firebox X Edge and manual.
07-18-2007 08:40 AM
The watchguard logs each step of the tunnel build. Have the remote admin send you that portion of the log or a screen capture of the negotiation process from the management software. It should help you to pinpoint the problem.
07-18-2007 09:32 AM
Thanks for the suggestion. I'll try that and let you know the results.
07-20-2007 05:29 AM
Finally got it. In the Cisco debug was a line about FQDN so it appears the exchange was failing due to one side looking for a name and the other an IP. I entered isakmp identity address and the problem has been resolved.
08-20-2007 09:33 AM
Just came acorss this conversation as I am having an issue getting the Cisco client to VPN through a Watchbox. Where did you enter the isakmp address?
08-20-2007 10:21 AM
Do you mean on the Watchguard box? I didn't work on that. The customer's rep set that up. I have a screen shot he sent me, though. Open up a browser andplug in the Watchguard's IP. After the page loads, just click on VPN. This is for a Watchguard Firebox X device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide