BOVPN make use of new External Interface?

I recently added a third external interface and moved it to highest priority in my multi-wan failover configuration. I also unchecked my an external interface that I won't be using.

How do I get my managed branch office vpn tunnels to use the new external connection? Currently they all still use the old primary connection which is now second in priority. Tried rekey, expire lease, reboot, etc. but nothing helps. Do I need to delete and recreate the tunnels or is there another way?

I've checked policy manager under VPN > Branch Office Gateways and they all still use the two old external gateways. Same as system manager under device status.

Comments

  • I believe that the lowest external interface number is used automatically for managed BOVPNs.

    Assuming that this is still true, your options are to switch your interface connections or go to manual BOVPNs.
    For me, manual BOVPNs are not that difficult to set up, and one more has more options in the setup.

  • edited January 2021

    I may have to look into manual BOVPNs. I'm not sure what finally did it but the new interface is now listed under the bovpn gateways but still all in the wrong order. It doesn't seem to pay any attention to the multiwan failover settings.

  • It doesn't seem to be in the interface order or multiwan order.

    multiwan order
    ISP1
    ISP2
    ISP3 (unchecked)

    Interface order
    Port 0 ISP3
    Port 4 ISP1
    Port 7 ISP2

    bovpn gateway order
    ISP 2
    ISP 3
    ISP 1

  • edited January 2021

    What does one have to do to fix this besides stop using managed VPNs?

    I've tried deleting my bovpn, waited for the gateway to be removed, and the recreated the vpn but still the same three multi-wan are in the same order.

    I can't disable the third external interface because it says it's in use by the bovpn gateway.

  • No idea.
    Open a Support Incident to get help from a WG rep on this.
    Should you find a resolution, please post it.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The firewall will prioritize interfaces (for drag/drop VPNs) based on the order you have them in the properties for that firewall.

    If you want completely granular control, making a manual BOVPN or BOVPN Virtual Interface will be how you need to do that.

    -James Carson
    WatchGuard Customer Support

  • That's what I was looking for. I as able to remove my old ISP IP and that removed it from the BOVPNs. Now I need to change the order but it says the name there must match the device name.

    Does it matter that the device name is only one of the IP addresses listed in the management properties box?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    You may need to move the old addresses up one -- I believe there are some instances where it will leave a blank line on top.

    Just type the new IP in on top and blank out the lines below it if that's the case.

    -James Carson
    WatchGuard Customer Support

  • I think I didn't explain it completely. In the docs, it says
    Policy Manager Managed Device Settings -
    "This name is case-sensitive and must match the name you use when you add the device to the Management Server configuration. This can also be the IP address of the Firebox."

    So I've input the primary external static IP for the device name.

    Now on the management server side, I've put in both of my static IPs with the primary on the top.

    So what I was trying to say is that it's not going to match because the name accepts only one IP but management server has both.

Sign In to comment.