VPN between Cisco asa5512 and Watchguard XTM 26 stops passing traffic

I have a Cisco ASA 5512 that is making a site to site vpn with a client that has a watchguard xtm 26. The tunnel appears to work fine initially. I can see the tunnel come up and traffic is flowing just fine. However, sometime later in the day, the tunnel just stops passing traffic. I can see that the tunnel is up, but data attempting to be sent from client site just doesn't seem to hit my firewall. The only solution we have found so far is be constantly pinging from the client's host to my host. The tunnel has then stayed up with no issues. Any ideas? Let me know if there is any information I can give you to help. Thank you.
Benjamin AllanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Double check and make sure that the phase 1 and phase 2 lifetimes are matched.

This is at times what would cause an issue similar to what you mentioned.  Since you say it happens later in the day, it would suggest that your phase 2 lifetimes are set at different values.

Usually, you would rekey every hour (3600) and the lifetime would be around 28800 seconds. You could also set this limit using data transfer amount. Whichever method you choose, make sure both ends use the same set of options.

Can either end initiate the connection or Is the VPN initiated from one end only?

If you only have the VPN a initiating from one side, they do have idle timeout after which they drop, and a new request reinitiates it. In a case where only one side can initiate the VPN, once it drops the second side lacks the connection and is not able to bring up the VPN.
0
Benjamin AllanAuthor Commented:
Both sides have phase 1 and phase two matching up. Phase one with a lifetime of 1800 and phase two with security-associations of 28800 seconds and 128000 kilobytes.

The tunnel can be initiated from either end. However, in practice, it only ever gets initiated from the watchguard side. Their side is an MRI scanner sending images to my server. I am able to icmp ping from my server to their scanner to initiate the tunnel if I wanted though.
0
arnoldCommented:
The tunnel is initiated when access is needed and disconnects when it is not needed.  The issue when it is down, there is a setup time.
Your last comment suggests that when it drops, it is not reconnecting from the watchguard side.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.