• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1308
  • Last Modified:

WatchGuard Firebox X10 BOVPN drops

We have a WatchGuard X10w-e that weve established a BOVPN secure tunnel with (back) to a WatchGuard X750-e.

When we restart the BOVNP we get a brief moment of internet activity, then it drops.  However, the tunnel remains in place with no errors.  We can fully access the shares on the servers (via IP only) at the WatchGuard X750-e location.

It should be noted that we are using DHCP to obtain automatically on each PC, and have no DNS settings specified.  Please help!
  • 3
  • 3
1 Solution
I would need few details on the setup:

Is your X10w-e having a dynamic public IP; if yes, are your using FQDN [Fully qualified domain name] or you are creating a DVCP tunnel.

Further when you say internet activity drops, what exactly you mean. You cannot browse internet from X10w-e or is it that the internet works but the connectivity through VPN tunnel is not available.

Also from X750-e the server shares which you access are they over the VPN tunnel.

Last is DNS resolution wrt to VPN tunnel needed.

Please advice.

Thank you.
afsanchez001Author Commented:
The X10w-e has a range of STATIC IPs:   (<-- we use this one, and 'only' this one.)

We are using a BOVPN tunnel.  (Just a standard secure tunnel) nothing Dynamic (No DVCP).

INTERNET: We have five PCs at the Branch Office, each PC needs to have access to the internet.  They also need to be able to see the Servers at the X750-e location.

I think we do need to have the DNS configured so that we can use name resolution when reaching shares, servers, etc. back at the X750-e location, right?
afsanchez001Author Commented:
We have another location (BOVPN) with the 'same' exact setup and it works.  It can see the shares (By IP Only), and has full access to the internet.

Back at the newest X10e-w location (where it is not working) only the PC used to configure the watchGuard is capable of seeing the internet.

This is our problem.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

OK as I understand there are two things, which are not working:

1. Out of the Five PC as remote branch where new X10e-w is located (let's call is Site 'B'), only one PC is able to connect to the internet.

2. The BOVPN between site 'A' (where 750e is located) and B is not coming up.

For 1; Please make sure that on all the computers WG internal IP address is the default gateway. Also, make sure that you are able to ping out by IP first and then name. The steps can be:
ping wg-internal-ip from the machine behind WG [you should get reply]
ping wg-external-ip from the machine behind WG [you should get reply]
ping wg-external-gateway from the machine behind WG [you should get reply]
now, ping yahoo-or-any-website-with-ip-rather-than-name from the machine behind WG [you should get reply]

Finally try, ping www.yahoo.com from the machine behind WG [you should get reply]; if you get replies then the machine is connected to the internet. If only name resolution fails then you should check your DNS server settings.

For 2; make sure that 76.x.x.9 is assigned as the public IP on the WG external interface. Also, make sure you have policies on 750-e to allow traffic from x10e-w private network, configure incoming as below:
Enabled and allowed; from wg-10-e-w-internal-network-subnet; to trusted
Outgoing as:
Enabled and allowed; from trusted; to wg-10-e-w-internal-network-subnet

As the tunnel show as up, I think all the VPN settings are identical and I am not listing steps to troubleshoot the tunnel. Also, make sure that you have specified remote/local subnets properly and have not inter-changed them.

Please check and update.
afsanchez001Author Commented:
A+ for thoroughness; the trick was to activate the Feature Key!  DNS was handled by adding the domain to the DNS suffix.  I do still have a problem though...  I could JOIN the domain, but each time I login I have to login to the workstation (not the domain because it is not yet available) then once inside I can VPN and access domain items, however, to LOGON to the domain I have to LOGOFF the workstation (BUT!!!  that kills the network connections, including VPN) and then I am back to square one.  NO WAY TO LOGIN TO DOMAIN.  Enjoy the points...
Thank you for the points.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now