WatchGuard SOHO and Cisco PIX VPN 5000 Series... Help !!!
I have a client that I support that has a DSL Connection at home. In addition, I am using a Watchguard SOHO box to handle Internet sharing so he can share his DSL pipe for internet access. The problem that I am having is that everytime I initiate a connection to access the office by VPN using the Altiga client, within 2 minutes, everything becomes inactive. (The VPN tunnel stays up and connected but I lose my ability to access anything within the Corporate environment.) I have been dealing with Watchguard tech support and I will paste what his synopsis and proposed solution is. I just want to know if his assumption is worth wasting my time. (I have been dealing with this problem for over 2 months). Oh, by the way, once I connect with the Altiga client and issue a ping -t command pinging something live in the environment, I can keep my connection forever but I don't want my client performing these tasks everytime he wants to connect to the Corporate environment. Below, find the comments that the Watchguard engineer has stated. Thanks.
Watchguard Technical Support Representative: In short: the IPSEC clients will establish the tunnel using UDP port 500,
then it will open a variable IP port to transport the data between the
networks. While the transport tunnel is usually the most active, the UDP
port must be maintained in order to maintain the overall VPN connection.
The UPD port doesn't need to be sending constant data, it will just send an
occasional datagram to say... I'm still here, which will there by maintain
In your case, it is the exact opposite. The tunnel is first established
over the IP port 50/51 then the transport tunnel is established over UDP
The downside of this design is that if the UDP port should ever become idol,
it will time out but doesn't terminate the whole tunnel because the IP
tunnel is still active and would be until it finally timed out 2 hours
The SOHO was more designed for the first type of client, which is the most
common type of client. Though the ports may differ, they are basically the
same. The specifics: UDP has a few min idol time out period. IP has a 2
hour time out period.
With this in mind, are you limited to using just this client, or are you
able to use another client that is based off the IPSEC standards and using
Re: WatchGuard SOHO and Cisco PIX VPN 5000 Series... Help !!!
To start Im sure you are aware every firewall vendor has their own methodology of timing out connection states. You would obviously have security ramifications by leaving these states open indefinitely. Id try and terminate your VPNs right on the firewall. Id check if Watchguard supports this before doing so, or at least nail open the connection or even crank up the timeout values to support your needs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :