Benjamin Allan
asked on
VPN between Cisco asa5512 and Watchguard XTM 26 stops passing traffic
I have a Cisco ASA 5512 that is making a site to site vpn with a client that has a watchguard xtm 26. The tunnel appears to work fine initially. I can see the tunnel come up and traffic is flowing just fine. However, sometime later in the day, the tunnel just stops passing traffic. I can see that the tunnel is up, but data attempting to be sent from client site just doesn't seem to hit my firewall. The only solution we have found so far is be constantly pinging from the client's host to my host. The tunnel has then stayed up with no issues. Any ideas? Let me know if there is any information I can give you to help. Thank you.
ASKER
Both sides have phase 1 and phase two matching up. Phase one with a lifetime of 1800 and phase two with security-associations of 28800 seconds and 128000 kilobytes.
The tunnel can be initiated from either end. However, in practice, it only ever gets initiated from the watchguard side. Their side is an MRI scanner sending images to my server. I am able to icmp ping from my server to their scanner to initiate the tunnel if I wanted though.
The tunnel can be initiated from either end. However, in practice, it only ever gets initiated from the watchguard side. Their side is an MRI scanner sending images to my server. I am able to icmp ping from my server to their scanner to initiate the tunnel if I wanted though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is at times what would cause an issue similar to what you mentioned. Since you say it happens later in the day, it would suggest that your phase 2 lifetimes are set at different values.
Usually, you would rekey every hour (3600) and the lifetime would be around 28800 seconds. You could also set this limit using data transfer amount. Whichever method you choose, make sure both ends use the same set of options.
Can either end initiate the connection or Is the VPN initiated from one end only?
If you only have the VPN a initiating from one side, they do have idle timeout after which they drop, and a new request reinitiates it. In a case where only one side can initiate the VPN, once it drops the second side lacks the connection and is not able to bring up the VPN.