Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Troubleshooting a Watchguard to Watchguard VPN

Posted on 2014-11-11
Medium Priority
Last Modified: 2014-11-26
I don't know much about watchguard firewalls.  A previous person set up a branch office VPN between 2 watchguard firewalls (X10e? and XTM2)

It has been working fine for months / years.  Recently, the VPN is broken (I can't ping across it).

If i go into the X10e and reboot it, the VPN is restored.  All other functions were working fine.  The box is several years old and there's no support with Watchguard.

on the x10e, if I go into status, vpn statistics, I see the VPN connection, it has a fair amount of data in all the categories.  

If I highlight the branch office VPN connection (the only one listed), then click rekey selected BOVPN, 1 time I got the message that the VPN doesn't exist... but now it just increments the rekey counter with no error. and no ability to ping / access machines across the VPN

Clicking on the debug button on that page gets the attached file - stuff that I don't understand.  (I changed the remote public IP to a.b.c.d for confidentiality)

A reboot of the x10e gets everything working.  But I rebooted the box a few days ago (it works for a few days then stops, in contrast to previously working for months / years with no problems)

I am used to lynksys type routers.  this is more complicated that I am used to (and more than what's really needed for a small business?)?

I don't see a simple page that says VPN is up or down : (

Any advice?
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Author Comment

ID: 40436643
I rebooted and vpn is working.

I compared the debug pages before and after. I did a screen capture of the first few lines.  with broken vpn, the first entry is Next payload ISA_HASH and after reboot that first entry is next payload ISA-SA.

And similar differences down the pages...

any help would be appreciated!
LVL 27

Accepted Solution

Steve earned 2000 total points
ID: 40437993
is there anything we could link up with when it started being unstable? update to XTM2, internet line change etc?

the logs suggest the x10e may be using slightly different settings to the XTM2 which would possibly explain why it may fail after a while, but it would suggest its been unstable in the long term. how recently has it started dropping the vpn?

does either site have internet issues in general?

Author Comment

ID: 40439209
I compared the pages under the vpn at both ends and the settings seem to be identical (except reversed for local and public IP addresses for each end, as I'd expect).  There was a field for 'pre shared key' that had asterisks.  I cleared that and saved a new password - didn't know what was in the asterisks.  Is that the only password field? with that and the IP of the device on the other end, they handshake and then get into the AES, etc.?

no smoking gun for the cause of the failures.  Internet has been stable as far as I know. I started pinging from a desktop on each end to the watchguard on the other end and also another cmd window pinging  both are working at both ends now.  I'll check tomorrow for any dropped packets.  and if there was spotty internet, shouldn't the vpn attempt to reconnect? I can get into the machines remotely over the internet, so at that point, the internet is up. so should the VPN?

And other than pinging the other end of the VPN, I can't see in the watchguard web interface how to see that the VPN is up or down. Am I missing something?
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

LVL 27

Assisted Solution

Steve earned 2000 total points
ID: 40439549
hmm. sounds Ok in general then.

does the VPN drop after a 'similar' amount of time on each occasion or is it very random?

If it's similar it would suggest something is expiring or not re-authenticating after a while. It could also mean some kind of buffer/counter may be filling up and failing.

Author Comment

ID: 40439676
thanks.  I'm looking for someone that knows watchguard specifically that can point me to this page or that / install this software or that, etc. to access logging, etc.
LVL 27

Assisted Solution

Steve earned 2000 total points
ID: 40439878
I know Watchguards but not these ones i'm afraid. they're older than i'm used to and you've advised they aren't even upto date :-)

click 'request attention' to see if anyone else can help.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question