BOVPN Failing to AWS since upgrade to 12.8

Hello,

Since upgrading two firewalls to 12.8, BOVPN virtual interface connections to AWS are failing, going down at an indeterminate time. Once disabled/enabled it connects again, but for anything from 45 to 90 minutes. Any suggestions other than downgrade which is feasible but inconvenient. These connections have been fine for the last 5 years. Not sure if something has been introduced, or a setting which we need to change. The connections have all been rebuilt, last resort is the downgrade, or even shifting everything off AWS.

Comments

  • You should open a support incident on this

  • I've reverted to 12.7.2 as this was intolerable, and all works fine again, so there's definitely issue with this version in my opinion. Will wait to see if this issue comes up for others or there's a new version released.

  • @Bruce_Briggs said:
    You should open a support incident on this

    Done with our support provider and they've been through to Watchguard about it. Nothing known or heard of on this issue as 12.8 is new.

  • We had the same issue. Two tunnels to AWS would stay up and pass traffic for about an hour, then die. Our tunnels to Rackspace are fine. I have an open ticket now but will soon reach a point where I'll have to revert back.

  • We also had the same issue, have reverted back which was rather painful and didn't like the backup image for some reason - very stressful! Anyway it's back and working fine on 12.7.2 and no issues anymore. Have also created a support case - surely they know there is an issue now?

  • We only use BOVPN tunnels between WatchGuard devices but we experience stability problems. Support asked to change IKEv2 to IKEv1. I know that's a problem if you can't manage all the settings. It seems to do the trick for know.

  • Whilst not an AWS VPN issue, we had been experiencing IKEv2 BOVPN drops (to a third party) with the 12.8 update, this has been resolved for us since applying 12.8 update 1.

  • Has anyone tried 12.8 update 1 with a AWS VPN? The release notes don't exactly say this issue was identified and resolved. Thanks

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @svitadmin
    The fix(es) were related to the two mobile VPN w/IKEv2 issues, which are handled by the same process. The main issue with AWS VPNs was related to FBX-23104.

    They're both listed in the Update 1 release notes:
    https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_8/index.html

    -This release resolves an issue with the assignment of DNS Servers to Mobile VPN with IKEv2 clients. [FBX-23036]
    -This release resolves a Mobile VPN with IKEv2 Dead Peer Detection (DPD) stability issue. [FBX-23104]

    -James Carson
    WatchGuard Customer Support

  • FBX-23104

    After upgrade to v12.8, IKEv2 BOVPNs that use VPN failover are instable
    Applies To
    Products: Firebox & XTM
    Operating System: 12.8
    Issue Status: Resolved
    Status and Tracking
    Tracking ID: FBX-23104
    Status: Resolved
    Resolved In: v12.8 Update 1
    Description
    After you upgrade to Fireware v12.8, BOVPNs configured with VPN failover might become instable and traffic could drop or stop completely. You might see log messages that include the text "SA_INVALID_SPI". BOVPNs without VPN failover do not appear to be affected.

Sign In to comment.