Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WatchGuard SOHO and Cisco PIX VPN 5000 Series... Help !!!

I have a client that I support that has a DSL Connection at home. In addition, I am using a Watchguard SOHO box to handle Internet sharing so he can share his DSL pipe for internet access. The problem that I am having is that everytime I initiate a connection to access the office by VPN using the Altiga client, within 2 minutes, everything becomes inactive. (The VPN tunnel stays up and connected but I lose my ability to access anything within the Corporate environment.) I have been dealing with Watchguard tech support and I will paste what his synopsis and proposed solution is. I just want to know if his assumption is worth wasting my time. (I have been dealing with this problem for over 2 months). Oh, by the way, once I connect with the Altiga client and issue a ping -t command pinging something live in the environment, I can keep my connection forever but I don't want my client performing these tasks everytime he wants to connect to the Corporate environment. Below, find the comments that the Watchguard engineer has stated. Thanks.

Jim

Watchguard Technical Support Representative: In short: the IPSEC clients will establish the tunnel using UDP port 500,

then it will open a variable IP port to transport the data between the

networks. While the transport tunnel is usually the most active, the UDP

port must be maintained in order to maintain the overall VPN connection.

The UPD port doesn't need to be sending constant data, it will just send an

occasional datagram to say... I'm still here, which will there by maintain

the tunnel.

In your case, it is the exact opposite. The tunnel is first established

over the IP port 50/51 then the transport tunnel is established over UDP

port 10000.

The downside of this design is that if the UDP port should ever become idol,

it will time out but doesn't terminate the whole tunnel because the IP

tunnel is still active and would be until it finally timed out 2 hours

later.

The SOHO was more designed for the first type of client, which is the most

common type of client. Though the ports may differ, they are basically the

same. The specifics: UDP has a few min idol time out period. IP has a 2

hour time out period.

With this in mind, are you limited to using just this client, or are you

able to use another client that is based off the IPSEC standards and using

only IP rather than UDP for tranport?

1 REPLY
Bronze

Re: WatchGuard SOHO and Cisco PIX VPN 5000 Series... Help !!!

To start I’m sure you are aware every firewall vendor has their own methodology of timing out connection states. You would obviously have security ramifications by leaving these states open indefinitely. I’d try and terminate your VPN’s right on the firewall. I’d check if Watchguard supports this before doing so, or at least nail open the connection or even crank up the timeout values to support your needs.

312
Views
0
Helpful
1
Replies
CreatePlease to create content