VPN between Cisco asa5512 and Watchguard XTM 26 stops passing traffic

I have a Cisco ASA 5512 that is making a site to site vpn with a client that has a watchguard xtm 26. The tunnel appears to work fine initially. I can see the tunnel come up and traffic is flowing just fine. However, sometime later in the day, the tunnel just stops passing traffic. I can see that the tunnel is up, but data attempting to be sent from client site just doesn't seem to hit my firewall. The only solution we have found so far is be constantly pinging from the client's host to my host. The tunnel has then stayed up with no issues. Any ideas? Let me know if there is any information I can give you to help. Thank you.
Benjamin AllanAsked:
Who is Participating?
The tunnel is initiated when access is needed and disconnects when it is not needed.  The issue when it is down, there is a setup time.
Your last comment suggests that when it drops, it is not reconnecting from the watchguard side.
Double check and make sure that the phase 1 and phase 2 lifetimes are matched.

This is at times what would cause an issue similar to what you mentioned.  Since you say it happens later in the day, it would suggest that your phase 2 lifetimes are set at different values.

Usually, you would rekey every hour (3600) and the lifetime would be around 28800 seconds. You could also set this limit using data transfer amount. Whichever method you choose, make sure both ends use the same set of options.

Can either end initiate the connection or Is the VPN initiated from one end only?

If you only have the VPN a initiating from one side, they do have idle timeout after which they drop, and a new request reinitiates it. In a case where only one side can initiate the VPN, once it drops the second side lacks the connection and is not able to bring up the VPN.
Benjamin AllanAuthor Commented:
Both sides have phase 1 and phase two matching up. Phase one with a lifetime of 1800 and phase two with security-associations of 28800 seconds and 128000 kilobytes.

The tunnel can be initiated from either end. However, in practice, it only ever gets initiated from the watchguard side. Their side is an MRI scanner sending images to my server. I am able to icmp ping from my server to their scanner to initiate the tunnel if I wanted though.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.