Troubleshooting watchguard vpn

I haven't worked with watchguard products. A new client has an xtm-26 at main office and xtm-10 at a remote office. Previous consultant set up a vpn between them.

Working fine for years now, so they say.

I am trying to backup machines from the remote office to a NAS at the home office.

I am noticing that the VPN stops working once in a while (can't do anything across VPN, like even ping the watchguard at the other end of the tunnel.  A reboot of the home office watchguard restores connectivity.

Any advice? I fear dealing with watchguard support - on a previous instance they took days to call me back, and when they did, they had a pitiful attitude.
Who is Participating?
It sounds like the tunnel is doing what is supposed to by reaching a TTL point and trying to re-create itself, except it is not managing this.  Usually WG tunnels will hit a limit based on traffic passed (8172mb I think).  Change this setting on both sides of the tunnel to reach this limit.  I cannot tell you exactly where to look as I no longer have WG products.

This will atleast narrow down your search.  If your tunnel no longer drops then there is an issue when it tries to renegotiate. If it does still drop then I would consider rebuilding both ends of the tunnel.  If this still does not work, I would be looking at backing them up, upgrading them to to most current firmware and trying again.  If this still does not work I would suspect hardware (doubtful).  

Are you logging from your devices?  Can you see the drop in your logs?  I know they used to have a /debug switch at the end of the logging page that would expose verbose logs.
BeGentleWithMe-INeedHelpAuthor Commented:
thanks.  I am not familiar with UTMs in general.  Didn't know about that cap setting. Have to look for it.

Don't use WG anymore?  Something better?  

Logging - there's  a short sysadmin log in the box, but there's a way to have the logs sent to another machine I think, right?  Not sure where to download the software / how to set things up to send logs to a machine.  any help would be appreciated.

Are other boxes easier to use and still offer a level of robustness for small businesses?
The WG products are actually very strong.  I used them for 10 plus years.  Only reason I changed was I changed jobs.

So when you are on the sysadm log page, add /debug to the end and see if they still have advanced logging hidden in there.

To write out to another device it would have to be a syslogger.  There are a few out there.  I ususally ended up using KIWI syslog.  Clean, simple and your could write to a SQL db if you wanted.

With WG support, ask for the US based support, they are very good.  The first level are usually hard work :-)

If I remember correctly the setting is in Stage 2 on the IPSec VPN.

Do you see ANY errors in the logs when your tunnel is down?
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

BeGentleWithMe-INeedHelpAuthor Commented:
thanks for the info.  the VPN is configured under Branch office VPN, Going in there, I didn't see any caps on throughput.
There is a traffic management page under VPN and there's no settings on that page.

I did see the attached page under branch office VPN.  do those numbers sound right?

I didn't check the log when the tunnel is done.  Will have to try that again tonight.  When I found out about the short log on the box a few hours later, things during the loss of the VPN had rolled off.
What are the settings in side your Phase 1 on 2.jpg?

Don't change anything:  You have the timeout set to 8 hours.  I would set these to either 12 or 24 hours so they renegotiate at a consistent controlled time and not a rolling 8 hours.

Don't change it:  but I have seen dead peer detection case issues on these tunnels.
BeGentleWithMe-INeedHelpAuthor Commented:
?? don't change, but you mention how I should make changes   : ) ???
I would like to see the settings on phase 1 first. Then we can try to change if they are right.  Just giving you ideas to think about.

Sorry for any confussion
BeGentleWithMe-INeedHelpAuthor Commented:
sorry?  no! I appreciate the help.  The machine to be backed up seems to be off tonight so I can't test things right now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.