Watchguard XTM330 firewall BOVPN problem

I've been having some problems with my office BOVPN lately, randomly the bridge between our two offices breaks. We have two identical XTM330 firewalls on both locations and both have the same configuration, done using this guide:

But sometimes randomly the tunel stops working and we can't access the other office's network. Usually resetting the firewalls temporaly fixes the issue.

I got the following debug messages off both firewalls logs:

Office A firewall

Process=iked  msg=(officeAExternalIP<->officeBExternalIP)MWAN-Failback notify ikePcy=0x1078b638(officeBTunel), p1said=0xc645b540 UP

Process=iked  msg=(officeAExternalIP<->officeBExternalIP)MWAN-Failback failed to find the ikePcyGrp by ikePcy - name=officeBTunel

Office B firewall

Process=iked  msg=(officeBExternalIP<->officeAExternalIP)MWAN-Failback notify ikePcy=0x1078b638(officeATunel), p1said=0xc645b540 UP

Process=iked  msg=(officeBExternalIP<->officeAExternalIP)MWAN-Failback failed to find the ikePcyGrp by ikePcy - name=officeATunel

Does anyone know what could be causing this?
Who is Participating?
BrianConnect With a Mentor Commented:
Have you tried setting the VPN tunnels to use Main Mode with fall back to Aggressive Mode? Aggressive Mode is not as secure, but if the tunnel connection or re-keying messages get garbled or drop a packet, Aggressive Mode will fight through it.

Double check every single firewall setting between the two. Especially time out settings.
Looking at the logs it looks like that there was disruption in internet service...WG tried to fallback to backup internet [which I guess is not configured in your network] and did not succeed.

Can you make sure that the internet indeed remains up all the time.

Also, please make sure that you have configured IKE keep-alive...though not directly relevant here but can help.
As per link you posted:
Select NAT Traversal, IKE Keep-alive, or Dead Peer Detection (RFC3706). Make sure you select the same values you chose in the BOVPN Tunnel Settings.

Please check and update.

Thank you.
ScreenFoxAuthor Commented:
I checked and right now the firewalls are using dead peer detection, before we were using only IKE keep-alive but the problem started happening so following the recommendation of the guide on that link I changed IKE keep-alive for Dead peer detection.

But the problem it's still there. I checked the Internet connections and no user has reported any problem with the internet.

Thanks for your reply
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

dpk_walConnect With a Mentor Commented:
You can configure both DPD and IKE keep-alive at the same time.
What I want to understand is that when VPN tunnel goes down; at that time, does that happen because of internet going down?
Also, is multi WAN configured at the sites.

Thank you.
ScreenFoxAuthor Commented:
In Office A there is a multi WAN configured, and no, when it has happened the connection to the internet was fine.
Are there any more logs which might explain the issue.
Its tough to say what is exactly happening with limited information.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.