Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1229
  • Last Modified:

Troubleshooting watchguard vpn

I haven't worked with watchguard products. A new client has an xtm-26 at main office and xtm-10 at a remote office. Previous consultant set up a vpn between them.

Working fine for years now, so they say.

I am trying to backup machines from the remote office to a NAS at the home office.

I am noticing that the VPN stops working once in a while (can't do anything across VPN, like even ping the watchguard at the other end of the tunnel.  A reboot of the home office watchguard restores connectivity.

Any advice? I fear dealing with watchguard support - on a previous instance they took days to call me back, and when they did, they had a pitiful attitude.
0
BeGentleWithMe-INeedHelp
Asked:
BeGentleWithMe-INeedHelp
  • 4
  • 4
4 Solutions
 
stu29Commented:
It sounds like the tunnel is doing what is supposed to by reaching a TTL point and trying to re-create itself, except it is not managing this.  Usually WG tunnels will hit a limit based on traffic passed (8172mb I think).  Change this setting on both sides of the tunnel to reach this limit.  I cannot tell you exactly where to look as I no longer have WG products.

This will atleast narrow down your search.  If your tunnel no longer drops then there is an issue when it tries to renegotiate. If it does still drop then I would consider rebuilding both ends of the tunnel.  If this still does not work, I would be looking at backing them up, upgrading them to to most current firmware and trying again.  If this still does not work I would suspect hardware (doubtful).  

Are you logging from your devices?  Can you see the drop in your logs?  I know they used to have a /debug switch at the end of the logging page that would expose verbose logs.
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
thanks.  I am not familiar with UTMs in general.  Didn't know about that cap setting. Have to look for it.

Don't use WG anymore?  Something better?  

Logging - there's  a short sysadmin log in the box, but there's a way to have the logs sent to another machine I think, right?  Not sure where to download the software / how to set things up to send logs to a machine.  any help would be appreciated.

Are other boxes easier to use and still offer a level of robustness for small businesses?
0
 
stu29Commented:
The WG products are actually very strong.  I used them for 10 plus years.  Only reason I changed was I changed jobs.

So when you are on the sysadm log page, add /debug to the end and see if they still have advanced logging hidden in there.

To write out to another device it would have to be a syslogger.  There are a few out there.  I ususally ended up using KIWI syslog.  Clean, simple and your could write to a SQL db if you wanted.

With WG support, ask for the US based support, they are very good.  The first level are usually hard work :-)

If I remember correctly the setting is in Stage 2 on the IPSec VPN.

Do you see ANY errors in the logs when your tunnel is down?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
BeGentleWithMe-INeedHelpAuthor Commented:
thanks for the info.  the VPN is configured under Branch office VPN, Going in there, I didn't see any caps on throughput.
 
There is a traffic management page under VPN and there's no settings on that page.

I did see the attached page under branch office VPN.  do those numbers sound right?

I didn't check the log when the tunnel is done.  Will have to try that again tonight.  When I found out about the short log on the box a few hours later, things during the loss of the VPN had rolled off.
1.jpg
2.jpg
0
 
stu29Commented:
What are the settings in side your Phase 1 on 2.jpg?

Don't change anything:  You have the timeout set to 8 hours.  I would set these to either 12 or 24 hours so they renegotiate at a consistent controlled time and not a rolling 8 hours.

Don't change it:  but I have seen dead peer detection case issues on these tunnels.
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
?? don't change, but you mention how I should make changes   : ) ???
0
 
stu29Commented:
I would like to see the settings on phase 1 first. Then we can try to change if they are right.  Just giving you ideas to think about.

Sorry for any confussion
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
sorry?  no! I appreciate the help.  The machine to be backed up seems to be off tonight so I can't test things right now.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now