Link to home
Create AccountLog in
Avatar of BeGentleWithMe-INeedHelp
BeGentleWithMe-INeedHelpFlag for United States of America

asked on

Troubleshooting a Watchguard to Watchguard VPN

I don't know much about watchguard firewalls.  A previous person set up a branch office VPN between 2 watchguard firewalls (X10e? and XTM2)

It has been working fine for months / years.  Recently, the VPN is broken (I can't ping across it).

If i go into the X10e and reboot it, the VPN is restored.  All other functions were working fine.  The box is several years old and there's no support with Watchguard.

on the x10e, if I go into status, vpn statistics, I see the VPN connection, it has a fair amount of data in all the categories.  

If I highlight the branch office VPN connection (the only one listed), then click rekey selected BOVPN, 1 time I got the message that the VPN doesn't exist... but now it just increments the rekey counter with no error. and no ability to ping / access machines across the VPN

Clicking on the debug button on that page gets the attached file - stuff that I don't understand.  (I changed the remote public IP to a.b.c.d for confidentiality)

A reboot of the x10e gets everything working.  But I rebooted the box a few days ago (it works for a few days then stops, in contrast to previously working for months / years with no problems)

I am used to lynksys type routers.  this is more complicated that I am used to (and more than what's really needed for a small business?)?

I don't see a simple page that says VPN is up or down : (

Any advice?
Avatar of BeGentleWithMe-INeedHelp
BeGentleWithMe-INeedHelp
Flag of United States of America image

ASKER

I rebooted and vpn is working.

I compared the debug pages before and after. I did a screen capture of the first few lines.  with broken vpn, the first entry is Next payload ISA_HASH and after reboot that first entry is next payload ISA-SA.

And similar differences down the pages...

any help would be appreciated!
compare-before-and-after-reboot.bmp
vpn-debug-after-reboot---VPN-working.txt
vpn-debug-before-reboot---VPN-not-workin
ASKER CERTIFIED SOLUTION
Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I compared the pages under the vpn at both ends and the settings seem to be identical (except reversed for local and public IP addresses for each end, as I'd expect).  There was a field for 'pre shared key' that had asterisks.  I cleared that and saved a new password - didn't know what was in the asterisks.  Is that the only password field? with that and the IP of the device on the other end, they handshake and then get into the AES, etc.?

no smoking gun for the cause of the failures.  Internet has been stable as far as I know. I started pinging from a desktop on each end to the watchguard on the other end and also another cmd window pinging google.com.  both are working at both ends now.  I'll check tomorrow for any dropped packets.  and if there was spotty internet, shouldn't the vpn attempt to reconnect? I can get into the machines remotely over the internet, so at that point, the internet is up. so should the VPN?

And other than pinging the other end of the VPN, I can't see in the watchguard web interface how to see that the VPN is up or down. Am I missing something?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
thanks.  I'm looking for someone that knows watchguard specifically that can point me to this page or that / install this software or that, etc. to access logging, etc.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account