Solved

Watchguard IPsec VPN problem between two Firebox III/1000's

Posted on 2009-07-01
4
1,581 Views
Last Modified: 2013-11-16
We have multiple Firebox III/1000's connected to each other over IPsec VPN's but two sites in paticular are unable to create a successful connection to each other:

Traffic Monitor Site A:

07/01/09 09:22  kernel:  ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  FROM  x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22  iked[142]:  TO    x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  CRYPTO ACTIVE after delay
07/01/09 09:22  iked[142]:  Deleting SA: peer        x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:               my_cookie   0003C0DD3C3ECFF3
07/01/09 09:22  iked[142]:               peer_cookie 20BBA8C3A08143F0

Traffic Monitor Site B:

07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  Deleting SA: peer        x.x.x.x (Site A IP)
07/01/09 09:35  iked[146]:               my_cookie   ECA1718030D19E9F
07/01/09 09:35  iked[146]:               peer_cookie 0000000000000000
07/01/09 09:35  kernel:  ipsec: Acquiring keys for channel 123
07/01/09 09:35  iked[146]:  Acquiring key for channel/policy 123/0
07/01/09 09:35  iked[146]:  TO    x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

any ideas?
0
Comment
Question by:RCoTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
aamodt earned 500 total points
ID: 24752677
Have not worked alot with VPN / IPsec issues. but maybe  the peer_cookie is not set on Site B ?

peer_cookie 0000000000000000

dont know,  seems also you might have communications problems between the links since the site A monitoring shows Duplicate packets and so on, but not that sure. Just an possible explanation..

Cross checked config and setup with those who is working ?

If so it should be a communication issue i think :)

Regards Aamodt
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24754358
AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID

Have you enabled aggressive mode; use main mode instead.

Please update on the software version which you are using also if you are using VPN manager.

Thank you.
0
 

Author Comment

by:RCoTeam
ID: 24783246
turned out to be a problem with an ISP router on a hop between the sites.
0
 

Author Closing Comment

by:RCoTeam
ID: 31598695
indeed a communication issue
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question