Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Watchguard IPsec VPN problem between two Firebox III/1000's

Posted on 2009-07-01
4
Medium Priority
?
1,584 Views
Last Modified: 2013-11-16
We have multiple Firebox III/1000's connected to each other over IPsec VPN's but two sites in paticular are unable to create a successful connection to each other:

Traffic Monitor Site A:

07/01/09 09:22  kernel:  ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  FROM  x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22  iked[142]:  TO    x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  CRYPTO ACTIVE after delay
07/01/09 09:22  iked[142]:  Deleting SA: peer        x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:               my_cookie   0003C0DD3C3ECFF3
07/01/09 09:22  iked[142]:               peer_cookie 20BBA8C3A08143F0

Traffic Monitor Site B:

07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  Deleting SA: peer        x.x.x.x (Site A IP)
07/01/09 09:35  iked[146]:               my_cookie   ECA1718030D19E9F
07/01/09 09:35  iked[146]:               peer_cookie 0000000000000000
07/01/09 09:35  kernel:  ipsec: Acquiring keys for channel 123
07/01/09 09:35  iked[146]:  Acquiring key for channel/policy 123/0
07/01/09 09:35  iked[146]:  TO    x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

any ideas?
0
Comment
Question by:RCoTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
aamodt earned 1500 total points
ID: 24752677
Have not worked alot with VPN / IPsec issues. but maybe  the peer_cookie is not set on Site B ?

peer_cookie 0000000000000000

dont know,  seems also you might have communications problems between the links since the site A monitoring shows Duplicate packets and so on, but not that sure. Just an possible explanation..

Cross checked config and setup with those who is working ?

If so it should be a communication issue i think :)

Regards Aamodt
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24754358
AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID

Have you enabled aggressive mode; use main mode instead.

Please update on the software version which you are using also if you are using VPN manager.

Thank you.
0
 

Author Comment

by:RCoTeam
ID: 24783246
turned out to be a problem with an ISP router on a hop between the sites.
0
 

Author Closing Comment

by:RCoTeam
ID: 31598695
indeed a communication issue
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question