Solved

Watchguard IPsec VPN problem between two Firebox III/1000's

Posted on 2009-07-01
4
1,568 Views
Last Modified: 2013-11-16
We have multiple Firebox III/1000's connected to each other over IPsec VPN's but two sites in paticular are unable to create a successful connection to each other:

Traffic Monitor Site A:

07/01/09 09:22  kernel:  ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  FROM  x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22  iked[142]:  TO    x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  CRYPTO ACTIVE after delay
07/01/09 09:22  iked[142]:  Deleting SA: peer        x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:               my_cookie   0003C0DD3C3ECFF3
07/01/09 09:22  iked[142]:               peer_cookie 20BBA8C3A08143F0

Traffic Monitor Site B:

07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  Deleting SA: peer        x.x.x.x (Site A IP)
07/01/09 09:35  iked[146]:               my_cookie   ECA1718030D19E9F
07/01/09 09:35  iked[146]:               peer_cookie 0000000000000000
07/01/09 09:35  kernel:  ipsec: Acquiring keys for channel 123
07/01/09 09:35  iked[146]:  Acquiring key for channel/policy 123/0
07/01/09 09:35  iked[146]:  TO    x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

any ideas?
0
Comment
Question by:RCoTeam
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
aamodt earned 500 total points
Comment Utility
Have not worked alot with VPN / IPsec issues. but maybe  the peer_cookie is not set on Site B ?

peer_cookie 0000000000000000

dont know,  seems also you might have communications problems between the links since the site A monitoring shows Duplicate packets and so on, but not that sure. Just an possible explanation..

Cross checked config and setup with those who is working ?

If so it should be a communication issue i think :)

Regards Aamodt
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID

Have you enabled aggressive mode; use main mode instead.

Please update on the software version which you are using also if you are using VPN manager.

Thank you.
0
 

Author Comment

by:RCoTeam
Comment Utility
turned out to be a problem with an ISP router on a hop between the sites.
0
 

Author Closing Comment

by:RCoTeam
Comment Utility
indeed a communication issue
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now