Solved

Troubleshooting watchguard vpn

Posted on 2014-03-20
8
1,176 Views
Last Modified: 2014-03-21
I haven't worked with watchguard products. A new client has an xtm-26 at main office and xtm-10 at a remote office. Previous consultant set up a vpn between them.

Working fine for years now, so they say.

I am trying to backup machines from the remote office to a NAS at the home office.

I am noticing that the VPN stops working once in a while (can't do anything across VPN, like even ping the watchguard at the other end of the tunnel.  A reboot of the home office watchguard restores connectivity.

Any advice? I fear dealing with watchguard support - on a previous instance they took days to call me back, and when they did, they had a pitiful attitude.
0
Comment
  • 4
  • 4
8 Comments
 
LVL 9

Accepted Solution

by:
stu29 earned 500 total points
ID: 39942175
It sounds like the tunnel is doing what is supposed to by reaching a TTL point and trying to re-create itself, except it is not managing this.  Usually WG tunnels will hit a limit based on traffic passed (8172mb I think).  Change this setting on both sides of the tunnel to reach this limit.  I cannot tell you exactly where to look as I no longer have WG products.

This will atleast narrow down your search.  If your tunnel no longer drops then there is an issue when it tries to renegotiate. If it does still drop then I would consider rebuilding both ends of the tunnel.  If this still does not work, I would be looking at backing them up, upgrading them to to most current firmware and trying again.  If this still does not work I would suspect hardware (doubtful).  

Are you logging from your devices?  Can you see the drop in your logs?  I know they used to have a /debug switch at the end of the logging page that would expose verbose logs.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39942263
thanks.  I am not familiar with UTMs in general.  Didn't know about that cap setting. Have to look for it.

Don't use WG anymore?  Something better?  

Logging - there's  a short sysadmin log in the box, but there's a way to have the logs sent to another machine I think, right?  Not sure where to download the software / how to set things up to send logs to a machine.  any help would be appreciated.

Are other boxes easier to use and still offer a level of robustness for small businesses?
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39942292
The WG products are actually very strong.  I used them for 10 plus years.  Only reason I changed was I changed jobs.

So when you are on the sysadm log page, add /debug to the end and see if they still have advanced logging hidden in there.

To write out to another device it would have to be a syslogger.  There are a few out there.  I ususally ended up using KIWI syslog.  Clean, simple and your could write to a SQL db if you wanted.

With WG support, ask for the US based support, they are very good.  The first level are usually hard work :-)

If I remember correctly the setting is in Stage 2 on the IPSec VPN.

Do you see ANY errors in the logs when your tunnel is down?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39943520
thanks for the info.  the VPN is configured under Branch office VPN, Going in there, I didn't see any caps on throughput.
 
There is a traffic management page under VPN and there's no settings on that page.

I did see the attached page under branch office VPN.  do those numbers sound right?

I didn't check the log when the tunnel is done.  Will have to try that again tonight.  When I found out about the short log on the box a few hours later, things during the loss of the VPN had rolled off.
1.jpg
2.jpg
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39943550
What are the settings in side your Phase 1 on 2.jpg?

Don't change anything:  You have the timeout set to 8 hours.  I would set these to either 12 or 24 hours so they renegotiate at a consistent controlled time and not a rolling 8 hours.

Don't change it:  but I have seen dead peer detection case issues on these tunnels.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39943686
?? don't change, but you mention how I should make changes   : ) ???
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39943762
I would like to see the settings on phase 1 first. Then we can try to change if they are right.  Just giving you ideas to think about.

Sorry for any confussion
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39944375
sorry?  no! I appreciate the help.  The machine to be backed up seems to be off tonight so I can't test things right now.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question