PIX/ASA v7 to Watchguard VPN Problem

Unanswered Question
Nov 2nd, 2007
User Badges:


I wonder if anyone can help, has ideas on this:

We have a problem with a site-to-site VPN between a Watchguard firewall and an ASA 5510, running 7.0(7).

The VPN works fine, but, 'breaks/drops' connections at about 75% of the IKE lifetime, which is pretty annoying as it's a high use VPN.

This is apparently caused by the ASA initiating a rekey - but I need to definitely confirm this.

The strange thing is that the VPN was working fine with a PIX Firewall running 6.3(1). I literally copied and pasted the config when migrating between the platforms.

Does anyone have any ideas why the problem might be happening, what debugs to look out for?

I think I've managed to rule out things like DPD (Dead Peer Detection) and keepalives since the VPN is in constant use.

The 75 is pretty constant as well - I've increased the IKE lifetime to 86400 (24hrs) to mitigate the problem, causing a drop every 18hrs (75%).

Next step is to interpret the debugs and try to recreate - pretty hard without another Watchguard!

We have other customer VPN's on the same box, which seems unaffected - they can stay up for days with much smaller volumes of traffic.

Any help is appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Wed, 11/07/2007 - 07:02
User Badges:
  • Silver, 250 points or more

You could be hitting a bug: try this bug :CSCsi47630 for more information

ddarby1 Wed, 11/07/2007 - 08:03
User Badges:


Thanks for you reply.

Reading the bug report unfortunately doesn't help us that much - the symptoms are the same, but the technical description is a little light on detail.

In any case Cisco has closed it without fixing - perhaps due to a lack of detail?

Thanks again for the post though.

daniel.sandstro... Fri, 04/25/2008 - 00:21
User Badges:

Seems to have a similar issue between an ASA5505 (8.0) and a Watchguard, however during the P1 negotiation this shows :

195.24.xx.xx, IP = 195.24.xx.xx, Starting P1 rekey timer: 64800 seconds.

As you can see the P1 rekey timer is 64800 seconds, which happens to be 18hours, both the watchguard and the cisco has a lifetime of 24h configured... bug in the Watchguard ?


This Discussion