Question

Site to Site VPN tunnel issues

Asked by: cgillet

Scenario: 2 sites 1 Domain
Main office:
Watchguard Firebox X Edge
MS Small Business Server 2003 w/ Exchange
30-40 windows XP professional clients
T1
192.168.2.x subnet

Remote office:
Fortigate 60
10-20 windows XP professional clients
DSL
192.168.3.x subnet

There is a site-to-site VPN setup between the two firewall devices. Remote office workers access shared folders and e-mail over the VPN tunnel. VPN tunnel has been shutting down every couple weeks. I've been able to solve this by logging into each VPN device and refreshing the IPsec keys and/or resetting the remote office firewall. Once the tunnel is active connectivity returns to normal. The settings are DH5, Sha-1, 3DES-CBC pre-shared key. key exprires every 24 hours.

Any ideas why the tunnel would break intermittently? Today was the most recent occurence of this event and I've been able to get the tunnel backup with a reboot on the Fortigate60 at the remote site. But now remote office clients cannot access shared files or network drives. Tunnel status is showing as active on both devices

Also the Watchguard at the main site will intermittently freeze every few weeks, requiring a reboot. There's no common interval. Sometimes it will be up for 6 weeks some times 4 or 5 days.
I've heard that malware can cause buffer overflows and wierd gateway problems. I've been logging events on the watchguard to verify my suspician but haven't seen anything conclusive yet.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-19 at 13:16:48ID24824940
Tags

VPN

,

Firewall

Topics

Virtual Private Networking (VPN)

,

Networking Hardware Firewalls

,

IPSec Security Protocol

Participating Experts
2
Points
500
Comments
11

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Firebox III loses VPN tunnel
    Hi there. Recently, we have been having some issues with a VPN tunnel between two divisions at my workplace. Key re-negotiation keeps failling and I am not sure why. The tunnel is configured using IPSEC and the device used on both ends is a Firebox III 1000 from Watchguard....
  2. Watchguard Firebox 700 VPN Help
    I have a watchguard Firebox III/700 Series model. I am trying to setup a VPN Connection. I have installed muVPNlite on the client machine and create a shared key and setup this on the client machine and firebox. I am able to connect into the VPN over a dial up modem. I can p...
  3. Cisco VPN Client to Watchguard firebox 700
    Hello. Is it possible to use a Cisco VPN Client to connect to a Watchguard firebox 700? Regards Daniel
  4. IPSEC tunnels
    I have been "volunteered" to set up an IPSEC tunnel between our site and our sister sites in the States and UK. We have a Watchguard Firebox II box and havent any idea about how to go about this. Can anyone point me in the right direction please - web link or ste...
  5. Urgent- Pix506e to Watchguard Firebox site-to-site V…
    If anyone can help with this VPN tunnel I would be very appreciative. I have been staring at it for hours and nothing will work for me. I am trying to accomplish two things. Create a site-to-site VPN between a Pix 506e and a watchguard firebox, and setup a Cisco VPN client...
  6. Macintosh/Linux IPSec VPN WatchGuard Firebox
    I have successfully been able to get a VPN working using the MUVPN client with IPSec. Now there is a new problem, our graphics people use Mac and our developers use Linux. Watchguard's IPsec client is only for Windows. I have tried IPSecuritas but I can't get it to connect...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ccpjcPosted on 2009-10-19 at 13:45:14ID: 25608849

I don't have experience with these firewalls, but usually VPN's are somewhat the same
I'm going to assume that you have static IP's assigned on each side, if not there's one thing to look at
Are the VPN's set to Main mode or an Aggressive mode?
Do you have a keep alive option on the firewalls, perhaps somewhere in the advanced, if so, enable it only on one side of the sites not both
play with the expiring of the pre-shared key
Change the MTU settings on the firewalls from 1500 to 1404, seems to work good with a lot
Ensure that both sides of the VPN tunnels have the same settings, sha-1, 3des, etc...

 

by: cgilletPosted on 2009-10-19 at 14:04:37ID: 25609030

Currently set in Aggressive mode. 1 side has keep alives every 60 seconds

 

by: cgilletPosted on 2009-10-19 at 14:08:16ID: 25609069

static IP's on both devices

 

by: ccpjcPosted on 2009-10-19 at 14:08:49ID: 25609076

try them on Main Mode, aggressive mode is usually for DHCP connections

 

by: cgilletPosted on 2009-10-19 at 14:18:38ID: 25609155

meant to say: currently set in main mode.

 

by: ccpjcPosted on 2009-10-19 at 14:46:17ID: 25609332

have you tried the MTU setting yet?
Also is there a renegotiate button on either of the firewalls, if not do a reboot on both of them

 

by: cgilletPosted on 2009-10-19 at 15:46:49ID: 25609644

The tunnel has been functional all morning. Do you think that the default MTU setting would contribute the this random failure over time? What is the affect of changing this setting from 1500 to 1404?

 

by: cgilletPosted on 2009-10-19 at 17:50:24ID: 25610191

Any idea why I can ping client pc's at the remote site. But remote users cannot ping the main office servers?

 

by: bignewfPosted on 2009-10-19 at 18:19:10ID: 25610347

IPSec tunnels can drop for the following reasons:

The SA's can be mismatched (even though the tunnel has been up for months) i.e
some IPSec tunnel access-lists if not exactly matched by subnet and networks can caused dropped tunnels  (using a network name for one subnet and using the actual subnet ip on the other peer can cause this)

mismatch in keepalive values
ISAKMP Lifetime (you see this in syslogs with error messages stating rekeying attempts)

I would only change the MTU's as a last resort, if nothing else seems to work. MTU changes usually are a result of router issues, or when the following happens with applications thru an IPSec tunnel:
MTU's become issues when hosts have trouble with certain apps, ie. exchange server and graphics programs which have large data packets which exceed the mtu's of the firewall. When ESP headers are added to the data packets, the packets often exceed the mtu of the firewall with the DF (don't fragment bit) cleared, and the packets don't get fragmented. These type of issues will involve changing the mtu of the firewalls as well as the MSS (maximum segment size) of the packets

Make sure order of transform sets on both piers are identical as well as the sets themselves being identical.
syntax of Phase 1 (ISAKMP) on both peers

NatExempt access lists must be identical as well as the syntax (always use the command line over the gui to verify this)
Verify routing tables also -  if you cannot ping hosts, then there is a problem with
routes and or natexempt  lists.



 

by: cgilletPosted on 2009-10-20 at 11:42:19ID: 25617119

tunnel seems to be working currently. Although users in the remote office cannot access anything on the main office network. no pings, no outlook, no rdp. I'll double check the NAT entries. But these have not changed. Why would the be working (intermittently) for 6-9 months and then stop working. DHCP isn't enabled for the external interfaces on either device. and the local and remote subnets are specified correctly on both devices.

The only thing that changed over the weekend was a scheduled downtime to rearrange some power cords and UPS connections. No software was altered. The tunnel status is Active.

 

by: bignewfPosted on 2009-10-20 at 18:28:56ID: 25620146

do a clear xlate in global mode after hours - to clear all the NAT translation slots. In some cases, you can try removing and re-applying the crypto maps.

Again, I have seen instances of tunnels functioning flawlessly for months and then just drop. Had some drop on me this week at a location -- it turned out I had to reapply the access-lists in both nat exempt and acl's.  I used the numerical ip notation on the opposing peer, which had a network object group syntax mapping to the allowed networks. placing the numerical ips back in the config brought the tunnel back up

something to try at least

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...