Solved

Watchguard IPsec VPN problem between two Firebox III/1000's

Posted on 2009-07-01
4
1,578 Views
Last Modified: 2013-11-16
We have multiple Firebox III/1000's connected to each other over IPsec VPN's but two sites in paticular are unable to create a successful connection to each other:

Traffic Monitor Site A:

07/01/09 09:22  kernel:  ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  RE-TO x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  FROM  x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22  iked[142]:  TO    x.x.x.x (site B IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22  iked[142]:  CRYPTO ACTIVE after delay
07/01/09 09:22  iked[142]:  Deleting SA: peer        x.x.x.x (site B IP)
07/01/09 09:22  iked[142]:               my_cookie   0003C0DD3C3ECFF3
07/01/09 09:22  iked[142]:               peer_cookie 20BBA8C3A08143F0

Traffic Monitor Site B:

07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  RE-TO x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35  iked[146]:  Deleting SA: peer        x.x.x.x (Site A IP)
07/01/09 09:35  iked[146]:               my_cookie   ECA1718030D19E9F
07/01/09 09:35  iked[146]:               peer_cookie 0000000000000000
07/01/09 09:35  kernel:  ipsec: Acquiring keys for channel 123
07/01/09 09:35  iked[146]:  Acquiring key for channel/policy 123/0
07/01/09 09:35  iked[146]:  TO    x.x.x.x (Site A IP) AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

any ideas?
0
Comment
Question by:RCoTeam
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
aamodt earned 500 total points
ID: 24752677
Have not worked alot with VPN / IPsec issues. but maybe  the peer_cookie is not set on Site B ?

peer_cookie 0000000000000000

dont know,  seems also you might have communications problems between the links since the site A monitoring shows Duplicate packets and so on, but not that sure. Just an possible explanation..

Cross checked config and setup with those who is working ?

If so it should be a communication issue i think :)

Regards Aamodt
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24754358
AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID

Have you enabled aggressive mode; use main mode instead.

Please update on the software version which you are using also if you are using VPN manager.

Thank you.
0
 

Author Comment

by:RCoTeam
ID: 24783246
turned out to be a problem with an ISP router on a hop between the sites.
0
 

Author Closing Comment

by:RCoTeam
ID: 31598695
indeed a communication issue
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
*STABLE* and free Linux Firewall distribution 6 90
Itunes Thru ISA 2000 Server 2 132
Firewall Analyzer Reporting Software 4 59
Firewall attack 16 186
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question