[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5478
  • Last Modified:

VPN issue using Watchguard Firebox X700

Hi All,
I've got a VPN IPSec issue using a Watchguard Firebox X700 on my side running Fireware 10.2.3.
This is the error log (renamed the real remote host IP with "***REMOTE_HOST_IP***"):

Debug Logs
=============
2008-11-19 16:24:58 iked Ignore a DPD R_U_THERE message from ***REMOTE_HOST_IP***:500(Reason: Unexpected sequence number) msg_id="0203-5274"       Debug
2008-11-19 16:24:58 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:03 iked Ignore a DPD R_U_THERE message from ***REMOTE_HOST_IP***:500(Reason: Unexpected sequence number) msg_id="0203-5274"       Debug
2008-11-19 16:25:03 wgcgi_bin path: /cmm/sync/cli msg_id="0F00-0003"       Debug
2008-11-19 16:25:04 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:07 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:07 wgcgi_bin path: /cmm/cmd 3 msg_id="0F00-0003"       Debug
2008-11-19 16:25:07 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:07 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:08 wgcgi_bin path: /cmm/cmd 8 msg_id="0F00-0003"       Debug
2008-11-19 16:25:08 iked Phase 1 started by peer with policy [Gateway_Ipeer] from ***REMOTE_HOST_IP***:500 main mode msg_id="0203-5021"       Debug
2008-11-19 16:25:08 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:08 wgcgi_bin path: /cmm/cmd 4 msg_id="0F00-0003"       Debug
2008-11-19 16:25:08 iked Initiating phase 2 negotiation to peer ***REMOTE_HOST_IP*** for replacing SPIs: inbound 0x317bec8e outbound 0x9462af7d msg_id="0205-5252"       Debug
2008-11-19 16:25:09 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:09 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:09 wgcgi_bin path: /cmm/sync/cli msg_id="0F00-0003"       Debug
2008-11-19 16:25:11 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:16 wgcgi_bin path: /cmm/sync/cli msg_id="0F00-0003"       Debug
2008-11-19 16:25:17 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:20 iked Drop negotiation to peer ***REMOTE_HOST_IP***:500 due to phase 1 retry timeout msg_id="0203-5161"       Debug
2008-11-19 16:25:20 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:21 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:21 wgcgi_bin path: /cmm/cmd msg_id="0F00-0003"       Debug
2008-11-19 16:25:22 wgcgi_bin path: /cmm/sync/cli msg_id="0F00-0003"       Debug
2008-11-19 16:25:23 iked Phase 1 started by peer with policy [Gateway_Ipeer] from ***REMOTE_HOST_IP***:500 main mode msg_id="0203-5021"       Debug
2008-11-19 16:25:24 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:28 iked Phase 1 completed as responder msg_id="0203-5002"       Debug
2008-11-19 16:25:28 iked  MM hash_alg=2 encr_alg=5 key_len=168 auth_alg=1 dh_group=5 seconds=28803 kbytes=0 msg_id="0203-5003"       Debug
2008-11-19 16:25:29 wgcgi_bin path: /cmm/sync/cli msg_id="0F00-0003"       Debug
2008-11-19 16:25:29 iked Phase 2 started by peer with message(id 4f6f877d) from ***REMOTE_HOST_IP***:500 quick mode msg_id="0203-5081"       Debug
2008-11-19 16:25:29 iked Initiating phase 2 negotiation to peer ***REMOTE_HOST_IP*** for replacing SPIs: inbound 0x317bec8e outbound 0x9462af7d msg_id="0205-5252"       Debug
2008-11-19 16:25:29 iked Starting phase 2 to ***REMOTE_HOST_IP***:500 quick mode message(id ce40de90) msg_id="0203-5091"       Debug
2008-11-19 16:25:30 wgcgi_bin path: /snmp/request msg_id="0F00-0003"       Debug
2008-11-19 16:25:35 iked Phase 2 started by peer with message(id 4f6f877d) from ***REMOTE_HOST_IP***:500 quick mode msg_id="0203-5081"       Debug

Any suggestion?
Thanks!
0
candrea71
Asked:
candrea71
  • 10
  • 8
1 Solution
 
candrea71Author Commented:
The VPN is working, but it crash 2-3 times a day...
0
 
dpk_walCommented:
The logs only indicate that the phase I did not go through once:
>> Drop negotiation to peer ***REMOTE_HOST_IP***:500 due to phase 1 retry timeout msg_id="0203-5161"       Debug

and then phase II negotiations were started:
>> 2008-11-19 16:25:28 iked Phase 1 completed as responder msg_id="0203-5002"       Debug
>> 2008-11-19 16:25:35 iked Phase 2 started by peer with message(id 4f6f877d) from

The logs are inconclusive for the reason the failure happened; one thing which I noticed is that you have DPD [dead peer detection] enabled on remote end; if not already enabled on X700 then do so [you would find the settings in Gateway properities] OR you can disable DPD at both ends.

Please check and update.

Thank you.
0
 
candrea71Author Commented:
Hi dpk wal,
on the X700 gatway setting for this VPN i've got:

NAT Traversal disabled
IKE Keep-alive enabled: message interval 12 seconds, max failure 30
Dead Peer Detection enabled: traffic idle timeout: 300 seconds, max retries 30 (just updated from 10)

So the DPD was already in...
Do you beleve the real failure could be related to the internet connection or what? In this case, can you suggest me a method on how debug the internet connection, and have some logs?
Thanks a lot for the assistence :)
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
dpk_walCommented:
Frankly I am not sure at this point if the tunnel ever comes up; can you paste some more logs which indicate if the phase II negotiations were complete or not.
IF the phase II comes up then I would be interested to know if you are able to ping anything on the remote end of the tunnel.

What is the device at the other end of the tunnel; can you access the logs there and see if you see anything different.

Please update.

Thank you.
0
 
candrea71Author Commented:
Hi dpk wal,
i'm sure the tunnel goes up (it happen any time after the crash), and when it is up i can ping the server on the remote network.
I also testd a ping +++Remote_Server+++ -t  so to have traffic on the VPN all the time, but it crash anyway...
I don't have access to the logs on the remote firewall, i'll try to have some of them and the product/firmware vertions....I'll update asap!
Thanks again
0
 
candrea71Author Commented:
Do you belive it can be usefull to set NAT Traversal on the gateway settings, with a keep alive interval?
In case yes, this change have to be done on both side?
The VPN is intended to be one-way-only (from the X700 to the remore firewall), even if now it is set on both way.
Thanks!

ps: i suppose the remote firewall should be a Sonicwall...i'm trying to have a reply from the collegue!
0
 
candrea71Author Commented:
Hi dpk_wal,
the firewall on the other side is a Fortigate-50A 3.00,build8597, but they are going to upgrade the firmware soon.
i post the log I have from the remote firewall just after a disconnection of the tunnel

***Remote_IP*** = Fortigate
***Our Ip*** = X700

--------------------------------------------------------------------------------

43              2008-11-20              14:22:49              notice                             negotiate              Responder: tunnel ***Our_IP**, transform=ESP_3DES, HMAC_SHA1
44              2008-11-20              14:22:49              notice                             negotiate              Responder: parsed ***Our_IP** quick mode message #2 (DONE)
45              2008-11-20              14:22:49              notice                             install_sa              Responder: tunnel ***Remote_IP**/***Our_IP** install ipsec sa
46              2008-11-20              14:22:49              notice                             negotiate              Responder: sent ***Our_IP** quick mode message #1 (OK)
47              2008-11-20              14:22:46              error                             negotiate              Received error notification from peer: PAYLOAD_MALFORMED
48              2008-11-20              14:22:46              notice                             negotiate              Initiator: sent ***Our_IP** quick mode message #1 (OK)
49              2008-11-20              14:22:46              notice                             negotiate              Initiator: parsed ***Our_IP** main mode message #3 (DONE)
50              2008-11-20              14:22:45              notice                             negotiate              Initiator: sent ***Our_IP** main mode message #3 (OK)
51              2008-11-20              14:22:45              notice                             negotiate              Initiator: sent ***Our_IP** main mode message #2 (OK)
52              2008-11-20              14:22:45              notice                             negotiate              Initiator: sent ***Our_IP** main mode message #1 (OK)
53              2008-11-20              14:22:45              notice                             delete_phase1_sa              Deleted an Isakmp SA on the tunnel to ***Our_IP**:500





65              2008-11-20              14:21:42              notice                             negotiate              Responder: tunnel ***Our_IP**, transform=ESP_3DES, HMAC_SHA1
66              2008-11-20              14:21:42              notice                             negotiate              Responder: parsed ***Our_IP** quick mode message #2 (DONE)
67              2008-11-20              14:21:42              notice                             install_sa              Responder: tunnel ***Remote_IP**/***Our_IP** install ipsec sa
68              2008-11-20              14:21:42              notice                             negotiate              Responder: sent ***Our_IP** quick mode message #1 (OK)
69              2008-11-20              14:21:40              error                             negotiate              Received error notification from peer: PAYLOAD_MALFORMED
70              2008-11-20              14:21:40              notice                             negotiate              Initiator: sent ***Our_IP** quick mode message #1 (OK)
71              2008-11-20              14:21:40              notice                             negotiate              Initiator: parsed ***Our_IP** main mode message #3 (DONE)
72              2008-11-20              14:21:40              notice                             negotiate              Initiator: sent ***Our_IP** main mode message #3 (OK)
73              2008-11-20              14:21:39              notice                             negotiate              Initiator: sent ***Our_IP** main mode message #2 (OK)
74              2008-11-20              14:21:39              notice                             negotiate              Initiator: sent ***Our_IP** main mode message #1 (OK)
75              2008-11-20              14:21:39              notice                             delete_phase1_sa              Deleted an Isakmp SA on the tunnel to ***Our_IP**:500
-------------------------------------------------------------------------------
0
 
dpk_walCommented:
It appears that the tunnel; completely rips off; phase I and phase II both are trying to re-negotiate.

I do not think that the NAT-traversal would make any difference; if so, the tunnel would not come up in the first place.
I am suspecting one of the device to be the spoilsport. Do you have tunnels with other devices; do they stay up or they flap as well. What do you do to get the tunnel up; do you reboot any of the boxes [X700 or remote].

I would suggest you to wait till they upgrade the firmware as it might help; otherwise remove all the VPN configuration from X700; save config file and flash image as well [this would cause the box to reboot] and then configure VPN again and save config [many a times this helps].

Thank you.
0
 
candrea71Author Commented:
Hi again!
we have 3 other tunnels, no problem at all with them as they remain up and running all the time... even if sometime doing a remote terminal services, it crashes
Can be a problem with our firewall perhaps?  :?
This tunnel goes up automatically after each flap, with no apparent reason...
I'll wait for the remote firewall to be updated, in case the problem goes over I'll remove this VPN and will create it again, as you suggested
Thanks a lot ;)
0
 
dpk_walCommented:
You are welcome; it is tough to say that the problem is with the firewall; as other tunnels stay up fine it indicates that the firewall is not having a problem; wait for the remote firewall upgrade; cleanup if needed; and update later.

Thank you.
0
 
candrea71Author Commented:
Hi dpk_wal,
just to tell you we fixed the update of the remote firewall on Monday 24th, late afternoon.
I'll update you asap, thanks for your patience!
A.
0
 
dpk_walCommented:
Please update per your convenience! :)

Regards.
0
 
dpk_walCommented:
No conclusion to the problem was achieved; user update was needed to close the issue.
0
 
candrea71Author Commented:
No solution found, we continue with one disconnection at day even after the firewall upgrade.
We see the traffic in the network is a bit slow and sometime even jump completely (2 times during 3-4 months), for this reason we're looking to improve the network buying some new Hp ProCurve switches.
Any possibility that the problem with the VPN is connected to this?
0
 
dpk_walCommented:
Cannot be said for sure; as VPN is diconnecting only for one site; my first suspect would be the ISP for that box rather than the firewall.
Putting newer gear would make the network efficient and might give overall better performance.

Thank you.
0
 
candrea71Author Commented:
Thanks a lot dpk_wal for your patience and competence :)
0
 
dpk_walCommented:
Thank you for the points! :)
0
 
candrea71Author Commented:
Thanks to you for your assistence!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now