?
Solved

Watchguard IPsec VPN problem between two Firebox III/1000's

Posted on 2009-07-01
4
Medium Priority
?
1,583 Views
Last Modified: 2013-11-16
We have multiple Firebox III/1000's connected to each other over IPsec VPN's but two sites in paticular are unable to create a successful connection to each other:

Traffic Monitor Site A:

07/01/09 09:22  kernel:  ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  FROM  x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22  iked[142]:  TO    x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  CRYPTO ACTIVE after delay
07/01/09 09:22  iked[142]:  Deleting SA: peer        x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:               my_cookie   0003C0DD3C3ECFF3
07/01/09 09:22  iked[142]:               peer_cookie 20BBA8C3A08143F0

Traffic Monitor Site B:

07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  Deleting SA: peer        x.x.x.x (Site A IP)
07/01/09 09:35  iked[146]:               my_cookie   ECA1718030D19E9F
07/01/09 09:35  iked[146]:               peer_cookie 0000000000000000
07/01/09 09:35  kernel:  ipsec: Acquiring keys for channel 123
07/01/09 09:35  iked[146]:  Acquiring key for channel/policy 123/0
07/01/09 09:35  iked[146]:  TO    x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

any ideas?
0
Comment
Question by:RCoTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
aamodt earned 1500 total points
ID: 24752677
Have not worked alot with VPN / IPsec issues. but maybe  the peer_cookie is not set on Site B ?

peer_cookie 0000000000000000

dont know,  seems also you might have communications problems between the links since the site A monitoring shows Duplicate packets and so on, but not that sure. Just an possible explanation..

Cross checked config and setup with those who is working ?

If so it should be a communication issue i think :)

Regards Aamodt
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24754358
AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID

Have you enabled aggressive mode; use main mode instead.

Please update on the software version which you are using also if you are using VPN manager.

Thank you.
0
 

Author Comment

by:RCoTeam
ID: 24783246
turned out to be a problem with an ISP router on a hop between the sites.
0
 

Author Closing Comment

by:RCoTeam
ID: 31598695
indeed a communication issue
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question