WatchGuard Firebox X10 BOVPN drops

We have a WatchGuard X10w-e that weve established a BOVPN secure tunnel with (back) to a WatchGuard X750-e.

When we restart the BOVNP we get a brief moment of internet activity, then it drops.  However, the tunnel remains in place with no errors.  We can fully access the shares on the servers (via IP only) at the WatchGuard X750-e location.

It should be noted that we are using DHCP to obtain automatically on each PC, and have no DNS settings specified.  Please help!
afsanchez001Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
I would need few details on the setup:

Is your X10w-e having a dynamic public IP; if yes, are your using FQDN [Fully qualified domain name] or you are creating a DVCP tunnel.

Further when you say internet activity drops, what exactly you mean. You cannot browse internet from X10w-e or is it that the internet works but the connectivity through VPN tunnel is not available.

Also from X750-e the server shares which you access are they over the VPN tunnel.

Last is DNS resolution wrt to VPN tunnel needed.

Please advice.

Thank you.
0
afsanchez001Author Commented:
The X10w-e has a range of STATIC IPs:  

       76.196.34.9  (<-- we use this one, and 'only' this one.)
       76.196.34.10
       76.196.34.11
       76.196.34.12
       76.196.34.13

We are using a BOVPN tunnel.  (Just a standard secure tunnel) nothing Dynamic (No DVCP).

INTERNET: We have five PCs at the Branch Office, each PC needs to have access to the internet.  They also need to be able to see the Servers at the X750-e location.

I think we do need to have the DNS configured so that we can use name resolution when reaching shares, servers, etc. back at the X750-e location, right?
0
afsanchez001Author Commented:
We have another location (BOVPN) with the 'same' exact setup and it works.  It can see the shares (By IP Only), and has full access to the internet.

Back at the newest X10e-w location (where it is not working) only the PC used to configure the watchGuard is capable of seeing the internet.

This is our problem.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

dpk_walCommented:
OK as I understand there are two things, which are not working:

1. Out of the Five PC as remote branch where new X10e-w is located (let's call is Site 'B'), only one PC is able to connect to the internet.

2. The BOVPN between site 'A' (where 750e is located) and B is not coming up.

For 1; Please make sure that on all the computers WG internal IP address is the default gateway. Also, make sure that you are able to ping out by IP first and then name. The steps can be:
ping wg-internal-ip from the machine behind WG [you should get reply]
ping wg-external-ip from the machine behind WG [you should get reply]
ping wg-external-gateway from the machine behind WG [you should get reply]
now, ping yahoo-or-any-website-with-ip-rather-than-name from the machine behind WG [you should get reply]

Finally try, ping www.yahoo.com from the machine behind WG [you should get reply]; if you get replies then the machine is connected to the internet. If only name resolution fails then you should check your DNS server settings.

For 2; make sure that 76.x.x.9 is assigned as the public IP on the WG external interface. Also, make sure you have policies on 750-e to allow traffic from x10e-w private network, configure incoming as below:
Enabled and allowed; from wg-10-e-w-internal-network-subnet; to trusted
Outgoing as:
Enabled and allowed; from trusted; to wg-10-e-w-internal-network-subnet

As the tunnel show as up, I think all the VPN settings are identical and I am not listing steps to troubleshoot the tunnel. Also, make sure that you have specified remote/local subnets properly and have not inter-changed them.

Please check and update.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
afsanchez001Author Commented:
A+ for thoroughness; the trick was to activate the Feature Key!  DNS was handled by adding the domain to the DNS suffix.  I do still have a problem though...  I could JOIN the domain, but each time I login I have to login to the workstation (not the domain because it is not yet available) then once inside I can VPN and access domain items, however, to LOGON to the domain I have to LOGOFF the workstation (BUT!!!  that kills the network connections, including VPN) and then I am back to square one.  NO WAY TO LOGIN TO DOMAIN.  Enjoy the points...
0
dpk_walCommented:
Thank you for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.