Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX/ASA v7 to Watchguard VPN Problem

Hi,

I wonder if anyone can help, has ideas on this:

We have a problem with a site-to-site VPN between a Watchguard firewall and an ASA 5510, running 7.0(7).

The VPN works fine, but, 'breaks/drops' connections at about 75% of the IKE lifetime, which is pretty annoying as it's a high use VPN.

This is apparently caused by the ASA initiating a rekey - but I need to definitely confirm this.

The strange thing is that the VPN was working fine with a PIX Firewall running 6.3(1). I literally copied and pasted the config when migrating between the platforms.

Does anyone have any ideas why the problem might be happening, what debugs to look out for?

I think I've managed to rule out things like DPD (Dead Peer Detection) and keepalives since the VPN is in constant use.

The 75 is pretty constant as well - I've increased the IKE lifetime to 86400 (24hrs) to mitigate the problem, causing a drop every 18hrs (75%).

Next step is to interpret the debugs and try to recreate - pretty hard without another Watchguard!

We have other customer VPN's on the same box, which seems unaffected - they can stay up for days with much smaller volumes of traffic.

Any help is appreciated

3 REPLIES
Silver

Re: PIX/ASA v7 to Watchguard VPN Problem

You could be hitting a bug: try this bug :CSCsi47630 for more information

New Member

Re: PIX/ASA v7 to Watchguard VPN Problem

Hi,

Thanks for you reply.

Reading the bug report unfortunately doesn't help us that much - the symptoms are the same, but the technical description is a little light on detail.

In any case Cisco has closed it without fixing - perhaps due to a lack of detail?

Thanks again for the post though.

New Member

Re: PIX/ASA v7 to Watchguard VPN Problem

Seems to have a similar issue between an ASA5505 (8.0) and a Watchguard, however during the P1 negotiation this shows :

195.24.xx.xx, IP = 195.24.xx.xx, Starting P1 rekey timer: 64800 seconds.

As you can see the P1 rekey timer is 64800 seconds, which happens to be 18hours, both the watchguard and the cisco has a lifetime of 24h configured... bug in the Watchguard ?

1083
Views
0
Helpful
3
Replies