RCoTeam
asked on
Watchguard IPsec VPN problem between two Firebox III/1000's
We have multiple Firebox III/1000's connected to each other over IPsec VPN's but two sites in paticular are unable to create a successful connection to each other:
Traffic Monitor Site A:
07/01/09 09:22 kernel: ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22 iked[142]: RE-TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22 iked[142]: Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22 iked[142]: RE-TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: RE-TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: FROM x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22 iked[142]: TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: CRYPTO ACTIVE after delay
07/01/09 09:22 iked[142]: Deleting SA: peer x.x.x.x (site B IP)
07/01/09 09:22 iked[142]: my_cookie 0003C0DD3C3ECFF3
07/01/09 09:22 iked[142]: peer_cookie 20BBA8C3A08143F0
Traffic Monitor Site B:
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (Site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (Site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: Deleting SA: peer x.x.x.x (Site A IP)
07/01/09 09:35 iked[146]: my_cookie ECA1718030D19E9F
07/01/09 09:35 iked[146]: peer_cookie 0000000000000000
07/01/09 09:35 kernel: ipsec: Acquiring keys for channel 123
07/01/09 09:35 iked[146]: Acquiring key for channel/policy 123/0
07/01/09 09:35 iked[146]: TO x.x.x.x (Site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
any ideas?
Traffic Monitor Site A:
07/01/09 09:22 kernel: ipsec: make bundle for channel 16, 1 in SA's, 1 out SA's
07/01/09 09:22 iked[142]: RE-TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22 iked[142]: Skipping duplicate packet from x.x.x.x (site B IP)
07/01/09 09:22 iked[142]: RE-TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: RE-TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: FROM x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:22 iked[142]: TO x.x.x.x (site B IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH ISA_VENDORID ISA_VENDORID NAT-D NAT-D
07/01/09 09:22 iked[142]: CRYPTO ACTIVE after delay
07/01/09 09:22 iked[142]: Deleting SA: peer x.x.x.x (site B IP)
07/01/09 09:22 iked[142]: my_cookie 0003C0DD3C3ECFF3
07/01/09 09:22 iked[142]: peer_cookie 20BBA8C3A08143F0
Traffic Monitor Site B:
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (Site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: RE-TO x.x.x.x (Site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
07/01/09 09:35 iked[146]: Deleting SA: peer x.x.x.x (Site A IP)
07/01/09 09:35 iked[146]: my_cookie ECA1718030D19E9F
07/01/09 09:35 iked[146]: peer_cookie 0000000000000000
07/01/09 09:35 kernel: ipsec: Acquiring keys for channel 123
07/01/09 09:35 iked[146]: Acquiring key for channel/policy 123/0
07/01/09 09:35 iked[146]: TO x.x.x.x (Site A IP) AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
turned out to be a problem with an ISP router on a hop between the sites.
ASKER
indeed a communication issue
Have you enabled aggressive mode; use main mode instead.
Please update on the software version which you are using also if you are using VPN manager.
Thank you.