Solved

Troubleshooting watchguard vpn

Posted on 2014-03-20
8
1,181 Views
Last Modified: 2014-03-21
I haven't worked with watchguard products. A new client has an xtm-26 at main office and xtm-10 at a remote office. Previous consultant set up a vpn between them.

Working fine for years now, so they say.

I am trying to backup machines from the remote office to a NAS at the home office.

I am noticing that the VPN stops working once in a while (can't do anything across VPN, like even ping the watchguard at the other end of the tunnel.  A reboot of the home office watchguard restores connectivity.

Any advice? I fear dealing with watchguard support - on a previous instance they took days to call me back, and when they did, they had a pitiful attitude.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 9

Accepted Solution

by:
stu29 earned 500 total points
ID: 39942175
It sounds like the tunnel is doing what is supposed to by reaching a TTL point and trying to re-create itself, except it is not managing this.  Usually WG tunnels will hit a limit based on traffic passed (8172mb I think).  Change this setting on both sides of the tunnel to reach this limit.  I cannot tell you exactly where to look as I no longer have WG products.

This will atleast narrow down your search.  If your tunnel no longer drops then there is an issue when it tries to renegotiate. If it does still drop then I would consider rebuilding both ends of the tunnel.  If this still does not work, I would be looking at backing them up, upgrading them to to most current firmware and trying again.  If this still does not work I would suspect hardware (doubtful).  

Are you logging from your devices?  Can you see the drop in your logs?  I know they used to have a /debug switch at the end of the logging page that would expose verbose logs.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39942263
thanks.  I am not familiar with UTMs in general.  Didn't know about that cap setting. Have to look for it.

Don't use WG anymore?  Something better?  

Logging - there's  a short sysadmin log in the box, but there's a way to have the logs sent to another machine I think, right?  Not sure where to download the software / how to set things up to send logs to a machine.  any help would be appreciated.

Are other boxes easier to use and still offer a level of robustness for small businesses?
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39942292
The WG products are actually very strong.  I used them for 10 plus years.  Only reason I changed was I changed jobs.

So when you are on the sysadm log page, add /debug to the end and see if they still have advanced logging hidden in there.

To write out to another device it would have to be a syslogger.  There are a few out there.  I ususally ended up using KIWI syslog.  Clean, simple and your could write to a SQL db if you wanted.

With WG support, ask for the US based support, they are very good.  The first level are usually hard work :-)

If I remember correctly the setting is in Stage 2 on the IPSec VPN.

Do you see ANY errors in the logs when your tunnel is down?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39943520
thanks for the info.  the VPN is configured under Branch office VPN, Going in there, I didn't see any caps on throughput.
 
There is a traffic management page under VPN and there's no settings on that page.

I did see the attached page under branch office VPN.  do those numbers sound right?

I didn't check the log when the tunnel is done.  Will have to try that again tonight.  When I found out about the short log on the box a few hours later, things during the loss of the VPN had rolled off.
1.jpg
2.jpg
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39943550
What are the settings in side your Phase 1 on 2.jpg?

Don't change anything:  You have the timeout set to 8 hours.  I would set these to either 12 or 24 hours so they renegotiate at a consistent controlled time and not a rolling 8 hours.

Don't change it:  but I have seen dead peer detection case issues on these tunnels.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39943686
?? don't change, but you mention how I should make changes   : ) ???
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 39943762
I would like to see the settings on phase 1 first. Then we can try to change if they are right.  Just giving you ideas to think about.

Sorry for any confussion
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39944375
sorry?  no! I appreciate the help.  The machine to be backed up seems to be off tonight so I can't test things right now.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortigate Question 5 25
Setup another VLAN on Fortigate 3 37
Ping configured interface on Sonicwall 16 69
SBS2011 VPN users no longer connecting 4 23
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question