Solved

Troubleshooting watchguard vpn

Posted on 2014-03-20
8
1,190 Views
Last Modified: 2014-03-21
I haven't worked with watchguard products. A new client has an xtm-26 at main office and xtm-10 at a remote office. Previous consultant set up a vpn between them.

Working fine for years now, so they say.

I am trying to backup machines from the remote office to a NAS at the home office.

I am noticing that the VPN stops working once in a while (can't do anything across VPN, like even ping the watchguard at the other end of the tunnel.  A reboot of the home office watchguard restores connectivity.

Any advice? I fear dealing with watchguard support - on a previous instance they took days to call me back, and when they did, they had a pitiful attitude.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 9

Accepted Solution

by:
stu29 earned 500 total points
ID: 39942175
It sounds like the tunnel is doing what is supposed to by reaching a TTL point and trying to re-create itself, except it is not managing this.  Usually WG tunnels will hit a limit based on traffic passed (8172mb I think).  Change this setting on both sides of the tunnel to reach this limit.  I cannot tell you exactly where to look as I no longer have WG products.

This will atleast narrow down your search.  If your tunnel no longer drops then there is an issue when it tries to renegotiate. If it does still drop then I would consider rebuilding both ends of the tunnel.  If this still does not work, I would be looking at backing them up, upgrading them to to most current firmware and trying again.  If this still does not work I would suspect hardware (doubtful).  

Are you logging from your devices?  Can you see the drop in your logs?  I know they used to have a /debug switch at the end of the logging page that would expose verbose logs.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39942263
thanks.  I am not familiar with UTMs in general.  Didn't know about that cap setting. Have to look for it.

Don't use WG anymore?  Something better?  

Logging - there's  a short sysadmin log in the box, but there's a way to have the logs sent to another machine I think, right?  Not sure where to download the software / how to set things up to send logs to a machine.  any help would be appreciated.

Are other boxes easier to use and still offer a level of robustness for small businesses?
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39942292
The WG products are actually very strong.  I used them for 10 plus years.  Only reason I changed was I changed jobs.

So when you are on the sysadm log page, add /debug to the end and see if they still have advanced logging hidden in there.

To write out to another device it would have to be a syslogger.  There are a few out there.  I ususally ended up using KIWI syslog.  Clean, simple and your could write to a SQL db if you wanted.

With WG support, ask for the US based support, they are very good.  The first level are usually hard work :-)

If I remember correctly the setting is in Stage 2 on the IPSec VPN.

Do you see ANY errors in the logs when your tunnel is down?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39943520
thanks for the info.  the VPN is configured under Branch office VPN, Going in there, I didn't see any caps on throughput.
 
There is a traffic management page under VPN and there's no settings on that page.

I did see the attached page under branch office VPN.  do those numbers sound right?

I didn't check the log when the tunnel is done.  Will have to try that again tonight.  When I found out about the short log on the box a few hours later, things during the loss of the VPN had rolled off.
1.jpg
2.jpg
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39943550
What are the settings in side your Phase 1 on 2.jpg?

Don't change anything:  You have the timeout set to 8 hours.  I would set these to either 12 or 24 hours so they renegotiate at a consistent controlled time and not a rolling 8 hours.

Don't change it:  but I have seen dead peer detection case issues on these tunnels.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39943686
?? don't change, but you mention how I should make changes   : ) ???
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39943762
I would like to see the settings on phase 1 first. Then we can try to change if they are right.  Just giving you ideas to think about.

Sorry for any confussion
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39944375
sorry?  no! I appreciate the help.  The machine to be backed up seems to be off tonight so I can't test things right now.
0

Featured Post

Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505's for VPN study 15 91
logon script 9 95
Adding a 2nd Juniper SSG20 and setting up HA / NSRP 2 23
Connectivity drops 9 80
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question