WG BOVPN to Cisco problem
Here is the WG Diagnostic Report for Gateway and the 2 devices are WG to Cisco
can anyone tell what the issue is?
*** WG Diagnostic Report for Gateway "Sanitized" ***
Created On: Thu Dec 3 18:39:51 2020
[Conclusion]
Error Messages for Gateway Endpoint #1(name "Sanitized")
Dec 03 18:39:42 2020 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
[Gateway Summary]
Gateway "Sanitized" contains "1" gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name "Sanitized") Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Enabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(192.103.x.x) <-> IP_ADDR(192.180.x.x)}
Local GW_IP<->Remote GW_IP: {199.x.x.x <-> 192.180.x.x}
Outgoing Interface: eth2 (ifIndex=4)
ifMark=0x10002
linkStatus=0 (0:unknown, 1:down, 2:up)
Stored user messages:
Dec 03 18:39:42 2020 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway
Name: "Sanitized Tunnel" Enabled
PFS: "Enabled" DH-Group: "5"
Number of Proposals: "1"
Proposal "ESP-AES256-SHA256"
ESP:
EncryptAlgo: "AES" KeyLen: "32(bytes)"
AuthAlgo: "SHA2-256"
LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"192.103.x.x24<->192.180.x.x"
[Run-time Info (gateway IKE_SA)]
[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "Sanitized Tunnel"
[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "Sanitized Tunnel"
#1
Tunnel Endpoint: "199.x.x.x->192.180.x.x"
Tunnel Selector: 192.103.x.x24 -> 192.180.x.x Proto: ANY
Created On: Thu Dec 3 17:55:27 2020
Gateway Name: "Sanitized"
Tunnel Name: "Sanitized Tunnel"
[Address Pairs in Firewalld]
Address Pairs for tunnel "Sanitized Tunnel"
[Policy checker result]
Tunnel name: Sanitized Tunnel
#1 tunnel route 192.103.x.x24<->192.180.x.x
No policy checker results for this tunnel(no P2SA found or some other error)
[Related Logs]
<158>Dec 3 18:39:33 iked[3740]: alwaysUpTimerCb trigger autoStart for ikePcy(Sanitized) ipsecPcy(Sanitized Tunnel)
<158>Dec 3 18:39:33 iked[3740]: AUTOSTART: RECV ipecPcy(Sanitized Tunnel), ikePcy(Sanitized), ifIndex(4), tunnel_src=199.x.x.x, tunnel_dst=192.180.x.x
<158>Dec 3 18:39:33 iked[3740]: (199.x.x.x<->192.180.x.x)do the ACQUIRE action for the tunnel route [src:192.103.x.x24 <-> dst:192.180.x.x], ike_ver=2, peer_udp_port=0
<158>Dec 3 18:39:33 iked[3740]: (199.x.x.x<->192.180.x.x)ikePcy(Sanitized) has the existing ikeSA(0x9d1f08, state:SA_INIT_I)
<158>Dec 3 18:39:33 iked[3740]: (199.x.x.x<->192.180.x.x)update ConnInfo as [my=199.x.x.x:500 peer=192.180.x.x:500 sockfd=15 ifindex=4]
<158>Dec 3 18:39:33 iked[3740]: (199.x.x.x<->192.180.x.x)Queue new CHILD SA negotiation request
<158>Dec 3 18:39:33 iked[3740]: (199.x.x.x<->192.180.x.x)childState(0x9e0e88) state change: UNKNOWN ==> CREATED, reason: "Create a Child State"
<158>Dec 3 18:39:33 iked[3740]: (199.x.x.x<->192.180.x.x)childState(0x9e0e88) state change: CREATED ==> PENDING, reason: "Pending a Child State"
<158>Dec 3 18:39:34 iked[3740]: (199.x.x.x<->192.180.x.x)Resending IKE_SA_INIT request message (id=0) from 199.x.x.x:500 to 192.180.x.x:500. Gateway-Endpoint:'Sanitized'
<158>Dec 3 18:39:38 iked[3740]: (199.x.x.x<->192.180.x.x)Resending IKE_SA_INIT request message (id=0) from 199.x.x.x:500 to 192.180.x.x:500. Gateway-Endpoint:'Sanitized'
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)Resending IKE_SA_INIT request message (id=0) from 199.x.x.x:500 to 192.180.x.x:500. Gateway-Endpoint:'Sanitized'
<155>Dec 3 18:39:42 iked[3740]: msg_id="021A-001B" (199.x.x.x<->192.180.x.x)IKEv2 exchange from 199.x.x.x:500 to 192.180.x.x:500 failed. Gateway-Endpoint='Sanitized'. Reason=No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)stop the given request retry object(0x9cc638, name="IKE_SA_INIT request", msgId=0)
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)ike2_P1StatusChange: notify ikePcy(Sanitized ver#2)'s status becomes "DOWN" (ikeSA=0x9d1f08)
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)MWAN-Failover notify ikePcy=0x9d0af8(Sanitized ver#2), mwanFlags:0x00000000 p1said=0x0 DOWN continuous-fails:83
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)WAN-Failover: start "AlwaysUp" timer(expires in 20s) for ikePcy(Sanitized)
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)Deleting ikeSA(obj=0x9d1f08) state=SA_INIT_I actions:0x00000003 gateway-endpoint=Sanitized, caller=ike2_MsgRetryFail, reason="No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints."
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)no need to delete the child SAs for ikeSA(0x9d1f08 state:SA_INIT_I)
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)childState(0x9e0e88) state change: PENDING ==> DEL, reason: "Free the Child State"
<158>Dec 3 18:39:42 iked[3740]: (199.x.x.x<->192.180.x.x)Free ikeSA(obj=0x9d1f08 state=IKESA_DELETED)
Comments
Your log here:
Reason=No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
Is telling us that the Watchguard is trying to initiate a tunnel, and is not getting a reply (or the reply is coming back in such a way that the WatchGuard isn't associating it with this tunnel.)
I'd suggest checking that the other side is
1. Getting the requests from the WatchGuard
2. If 1 is true, is it sending replies.
That'll help narrow down what part you need to troubleshoot.
-James Carson
WatchGuard Customer Support
Okay, i will check what you suggested