Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1405
Views
0
Helpful
3
Replies

PIX/ASA v7 to Watchguard VPN Problem

ddarby1
Level 1
Level 1

‎11-02-2007 05:35 AM - edited ‎02-21-2020 03:21 PM

Hi,

I wonder if anyone can help, has ideas on this:

We have a problem with a site-to-site VPN between a Watchguard firewall and an ASA 5510, running 7.0(7).

The VPN works fine, but, 'breaks/drops' connections at about 75% of the IKE lifetime, which is pretty annoying as it's a high use VPN.

This is apparently caused by the ASA initiating a rekey - but I need to definitely confirm this.

The strange thing is that the VPN was working fine with a PIX Firewall running 6.3(1). I literally copied and pasted the config when migrating between the platforms.

Does anyone have any ideas why the problem might be happening, what debugs to look out for?

I think I've managed to rule out things like DPD (Dead Peer Detection) and keepalives since the VPN is in constant use.

The 75 is pretty constant as well - I've increased the IKE lifetime to 86400 (24hrs) to mitigate the problem, causing a drop every 18hrs (75%).

Next step is to interpret the debugs and try to recreate - pretty hard without another Watchguard!

We have other customer VPN's on the same box, which seems unaffected - they can stay up for days with much smaller volumes of traffic.

Any help is appreciated

Labels:
0 Helpful
3 Replies 3

smalkeric
Level 6
Level 6

‎11-07-2007 07:02 AM

You could be hitting a bug: try this bug :CSCsi47630 for more information

0 Helpful

ddarby1
Level 1
Level 1
In response to smalkeric

‎11-07-2007 08:03 AM

Hi,

Thanks for you reply.

Reading the bug report unfortunately doesn't help us that much - the symptoms are the same, but the technical description is a little light on detail.

In any case Cisco has closed it without fixing - perhaps due to a lack of detail?

Thanks again for the post though.

0 Helpful

daniel.sandstrom
Level 1
Level 1
In response to ddarby1

‎04-25-2008 12:21 AM

Seems to have a similar issue between an ASA5505 (8.0) and a Watchguard, however during the P1 negotiation this shows :

195.24.xx.xx, IP = 195.24.xx.xx, Starting P1 rekey timer: 64800 seconds.

As you can see the P1 rekey timer is 64800 seconds, which happens to be 18hours, both the watchguard and the cisco has a lifetime of 24h configured... bug in the Watchguard ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents