BOVPN randomly quits passing data
I need some advice. Our BOVPN connection randomly stops working and quits passing data. If I restart the Watchguard, it starts working again. The rest of the firewall functionality works fine all the time. Just the BOVPB has this intermittent issue.
I'm running an XTM330 and it is running OLD software (v11.9.4). This unit is also not in support of any kind currently. I have downloaded the newest OS version available for it (v12.1.3u2) but can I install this without a current support contract? Does the unit "phone home" during the upgrade process to see if it is still under support? I don't want to "brick it" by trying to do the upgrade as it's in use as our online firewall. Any suggestions would be appreciated. I do have a budget to replace it next year, but I'd really like to solve this BOVPN problem now.
Thanks in advance for any help you can provide.
Bill Sanford
Comments
XTM won't let you upgrade to a newer version once the LiveSecurity license has expired.
What is at the other end of the BOVPN?
Anything to help in the firewall logs related to the BOVPN when it fails ?
You can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.
1) Web UI -> System Status -> VPN Statistics, click the Debug button
2) FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab
You can rekey a BOVPN which may help:
1) FSM:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/rekey_BOVPN_tunnels_wsm.html
2) Web UI:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_force_tunnel_rekey_wsm.html
Hi Bruce,
Thanks so much for the reply. I'm a rookie with this device and firewalls in general and have only used the web GUI. I had enabled logging via the web GUI as you suggested prior to my post, but I can't figure out how to view them.
I have looked through the GUI and can't seem to find a way to view the logs. Do I need to log in some other way to access them, or can they be downloaded somehow via the GUI?
Again, many thanks Bruce!
OK, figured out how to download a support log file. What should I be looking at?
These are the times when the BOVPN went down:
Jul 29 13:14:25 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.0.0/255.255.240.0 remote 192.168.16.0/255.255.255.0 under gateway 'Brainerd Office' is down (bovpn event)
Jul 29 13:16:01 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.0.0/255.255.240.0 remote 192.168.16.0/255.255.255.0 under gateway 'Brainerd Office' is down (bovpn event)
Aug 26 11:53:54 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.0.0/255.255.240.0 remote 192.168.16.0/255.255.255.0 under gateway 'Brainerd Office' is down (bovpn event)
Aug 27 13:30:44 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.0.0/255.255.240.0 remote 192.168.16.0/255.255.255.0 under gateway 'Brainerd Office' is down (bovpn event)
Sep 30 15:01:55 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.16.0/255.255.255.0 remote 192.168.0.0/255.255.240.0 under gateway 'Brainerd Office' is down (bovpn event)
Oct 1 15:01:47 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.16.0/255.255.255.0 remote 192.168.0.0/255.255.240.0 under gateway 'Brainerd Office' is down (bovpn event)
Oct 2 15:01:35 2019 XTM330 local0.info iked: msg_id="020B-0001" BOVPN tunnel 'Brainerd Tunnel' local 192.168.16.0/255.255.255.0 remote 192.168.0.0/255.255.240.0 under gateway 'Brainerd Office' is down (bovpn event)
So when the support expires, do the BOVPN's expire too? I thought the box would continue to operate? The times above look like something planned was happening...
Hi @Sanford
BOVPNs continue to work, however, you'll be unable to upgrade (which is useful in the case of there being a bug, or if you want to get a new feature in a newer version.)
The logs, in your case, seem to indicate that the gateway (under VPN -> Branch Office VPN, gateways) is down -- specifically the one named Brainerd Office.
-This may mean that the local link monitor is downing that interface. Do you have multiple external interfaces set up? Make sure multi-wan is set to ping addresses that will reply, and that you're not having any ISP trouble. There should be a log when it happens, if the local external interface was marked down.
-The remote side may be down or unreachable. If you look on the remote side, do you see logs saying that this device is reaching out to it?
Thank you,
-James Carson
WatchGuard Customer Support
Whem a LiveSecurity license expires, standard firewall processes, incuding BOVPNs should still work.
Unfortunately "gateway 'Brainerd Office' is down" doesn't tell us much.
What is at the other end of the BOVPN?
Does a rekey help?
A support file is not really helpful to most of us.
It is something that WG support uses to help identify issues - and without a current a LiveSecurity license, you don't have the ability to open WG support incidents.
I've been tied up today, but I'll dig into this more tomorrow. There in only one other BOVPN and it's a Watchguard T10 at a small remote office with a few people.
Thanks everyone for your help. I find it very annoying that I can't even do a software upgrade to a version that was available when the support was current. Can I even reinstall the current version of software that it's running now? This problem just started a few months back and nothing was changed in the unit. It's been run the same OS version for several years.
This device is end of life very soon. It may be time to replace it sooner rather than later...
Again, thank you.
Reinstall should not really do anything.
And I don't believe that you can - but I have never tried this.
Again, thanks Bruce. I may go pfSense next time around...
I received some help from the Watchguard staff and got this resolved.
Thank you!
Care to indicate what got changed ?
This info may help others in the future