Solved

Functioning BOVPN tunnels to Dubai just stop working - URGENT

Posted on 2008-10-20
4
1,633 Views
Last Modified: 2013-11-16
We have an office in the UK with a  Watchguard Firebox X1000 connected to two other UK offices with Firebox X700 and an office in the Isle of Man with a Firebox II. All of these offices are connected to the other three using BOVPN tunnels and this configuration has been up and running for several years and has been very stable.

We have now opened an office in Dubai and are using a Firebox X20e to connect it to the rest of the offices using BOVPN tunnels. The local ISP, Etisalat, has provided a 2Mb DSL line with dynamic IP addressing.

Whilst I was in Dubai I set up the Firebox locally and used remote access tools to set up the BOVPN tunnel to London  this all connected OK once I had got my head around the new interface. I stuck with the default settings for Phase 1 and Phase 2 and provided the same shared key at both ends. I then proceeded to install the local Windows server and join it to the company domain.

On my return to London I made a trip to Manchester (not just for the BOVPN) and configured their local Firebox to connect to Dubai. This went through with no problems and connected OK.

The following week the connection between London and Dubai just stopped working for no apparent reason. As I was travelling to the third office (Oxford) at the time I was unable to address the issue until the following morning. All the configurations at both ends looked to be OK and the Manchester to Dubai link was working with no problems. After trying various issues I used the connectivity between Manchester and Dubai to delete the BOVPN tunnel between London and Dubai on both boxes and then recreated them from scratch. This seemed to fix the problem  although it didnt indicate the reason for the problem in the first place. I also configured a BOVPN tunnel between Oxford and Dubai with no problems at all.

The following day (Friday) I set up some jobs to transfer a reasonably large amount of data (>5Gb) to Dubai from London as that is the start of the weekend in Dubai. On Sunday morning I got a text from Dubai (06:15 local time!!) telling me that the BOVPN link between London and Dubai was down again. I checked the system and this time all three links to Dubai were down  all of the UK and Isle of Man links were working fine.

I have tried various changes on the London end and got someone in Dubai to make changes on their Firebox but nothing would bring the link back up. I even tried deleting and recreating the link between London and Dubai, but again no joy. I have checked and the IP address in Dubai has not changed.

As it stands, the links are still down so this is urgent  can anyone shed any light?

On the London Firebox where it has been rebooted several times yesterday, there is no error message showing against the BOVPN tunnel but there is no connectivity either.

On the other two Fireboxes which have not be rebooted, it shows Key has expired: Renegotiating [SHA1-HMAC Authentication 3DES-CBC Encryption] followed by Key has expired: Renegotiation Failed [SHA1-HMAC Authentication 3DES-CBC Encryption]

The Firebox System Monitor, Traffic Monitor shows various error messages. Starting with the box that has been rebooted I get the following sequence of messages (86.xx.xx.xx is the IP addresso fthe Dubai end):

Iked(165) RE-TO 86.xx.xx.xx MM-HDR  ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
Iked(165) FROM 86.xx.xx.xx IF-HDR -535Axxxx ISA_NOTIFY
Received a packet for an unknown SA

iked[165]:  Deleting SA: peer        86.xx.xx.xx
iked[165]:               my_cookie   F49A54E1xxxxxxxx
iked[165]:               peer_cookie 0000000000000000

However, I do see the following which seems to indicate some traffic is going throuhg
tunneld[161]:  recv echo-request from 86.xx.xx.xx
tunneld[161]:  sent echo-reply

I am not sure whether this message is relevant but there are quite a lot of them showing on this box.
kernel:  GRE: out of order: as:2615 seq:2614 from:0x3b1axxxx

On the two boxes which have not been rebooted, I am getting the following sequence of messages:

iked[145]:  RE-TO 86.98.26.59 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
iked[145]:  Deleting SA: peer        86.xx.xx.xx
iked[145]:               my_cookie   2316CBEAxxxxxxxx
iked[145]:               peer_cookie 0000000000000000

I am totally at a loss as to what to try next  I cannot understand why a BOVPN tunnel that is working fine just suddenly drops out for no apparent reason.

At the Dubai office they are able to access the Internet with no problems and make a client VPN connection into London. I can also access Outlook Web Access on their server. The major problem is that all incoming and outgoing mail goes via London so I have got the Dubai office jumping up and down on me  bear in mind that yesterday (Sunday) is a working day for them, so they have now been down for a day and a half.

Any assistance or information that anyone can provide will be most appreciated!

Many thanks, Eddie
0
Comment
Question by:EddieWr
  • 2
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22759053
The first set of logs indicate that the phase I of VPN tunnel configured in main mode is not going through:
>> Iked(165) RE-TO 86.xx.xx.xx MM-HDR  ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

This usually mean that the problem is with the phase I configuration and one of the many parameters does not match; if can even be that one of the end is configured with main mode and one of them with aggressive mode; as following log suggests:
>> AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

The GRE entries are not relevant to this context, as GRE entries are for PPTP which you would have enabled on that specific box:
>> kernel:  GRE: out of order: as:2615 seq:2614 from:0x3b1axxxx

Please ensure that the phase I settings are indetical on both the ends. Rebooting the X55e once would be a good option as well.

Thank you.
0
 

Author Comment

by:EddieWr
ID: 22765660
Hi dpk_wal,

We ended up rebooting the Firebox in Dubai and that seems to have solved it. I didn't want to have to do this as Etisalat don't give a static IP address even for business broadband and I had to update the configuration at each of the UK sites to reflect the new IP address.

Thank you for the feedback.

Eddie
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22765764
If possible get a dynamic DNS service subscription which would solve the dynamic IP reconfiguration issues for you.

Thank you.
0
 

Author Comment

by:EddieWr
ID: 22765783
Hi, we do have a synamic DNS entry for the site, but in the Wtachguard BOVPN at the X1000 end it seems to need the IP address to be specified as well as the domain name. Is it OK to omit the IP address even though it seems to be asking for it to be provided?

Whilst I am expert on a lot of IT stuff I am not totaloly familiar with the requirements of VPN settings!

Many thanks, Eddie
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now