I have set up a VPN to a Watchguard Firebox. I thought it was a relatively easy build but now whenever the SA timeout occurs (8 hours), the VPN tunnel stays down. When I do a sh cry it appears to fail on the key exchange. Once, the remote site tech rebuilds the VPN on the Watchguard side, the tunnel comes up.
Now, of course, I'm not asking for help with a WG Firebox but I am wondering if anyone has had experience with a 515E VPN to a WG Firebox and experienced difficulties with the tunnel.
i would agree with that first step. However, I once read (and i can't remember where) that even if the lifetimes are different, during negotations of each phase, the lowest lifetime will be chosen.
can anyone confirm/deny this?
Yes, that is normally the case but sometimes when you mix equipment from different vendors, that is not always true.
I have personally not had that problem with watchguard, but with other firewalls.
Well, we did have a Phase 1 mis-match on time-outs. The tunnel is up and I'll see tomorrow when the time-out expires whether I can bring the tunnel back up.
That's what we thought, too, and confirmed that they match. However, if they were wrong, wouldn't that prevent the tunnel from ever coming up?
I tried pinging the remote server this morning and got no reply.
sh cry isa sa shows the phase 1 is stuck at "mm key exchange" so, apparently, the timeout wasn't an issue (or, at least, the only issue).
Then I think you need to run debugging on both sides, especially from the side that is not initiating the connection.
I would also try to change some of the IKE parameters, too see if it makes any difference.
The watchguard logs each step of the tunnel build. Have the remote admin send you that portion of the log or a screen capture of the negotiation process from the management software. It should help you to pinpoint the problem.
Finally got it. In the Cisco debug was a line about FQDN so it appears the exchange was failing due to one side looking for a name and the other an IP. I entered isakmp identity address and the problem has been resolved.
Just came acorss this conversation as I am having an issue getting the Cisco client to VPN through a Watchbox. Where did you enter the isakmp address?
Do you mean on the Watchguard box? I didn't work on that. The customer's rep set that up. I have a screen shot he sent me, though. Open up a browser andplug in the Watchguard's IP. After the page loads, just click on VPN. This is for a Watchguard Firebox X device.