BOVPN tunnel up but no traffic passing

Hi all,
I have a problem with BOVPN between my watchguard and a Palo alto firewall in other side, the tunnel is up but when I ping to the host in other side it show : timeout and also for other type of traffic does not passing. and when I ping to some hosts we get 2 recieved packets and lost the other packets.

For information : I have 2 externals interfaces : one for internet navigation and mails and second external for BOVPN. And when i run the diagnostic report of BOVPN no error detected.

Please help me to resolve this problem

Thanks.

Kind regards

Answers

  • Consider opening a support incident to get WG help in resolving this.

    It is better to use tracrert instead of ping as tracert shows the path that packets take, whereas ping does not.

    A timeout from a ping could be caused by denies at the other end.
    Make sure that the Palo Alto end is allowing your pings/tracerts and other packet types.

    Also, check with the other end to find out what they see from your ping and other sent packets. Hopefully they can turn on logging of packets from your end in order to help understand the issue.

    If you are not doing so already, turn on Logging on the policies which allow BOVPN packets to & from the other end. This may help show an issue.

    You can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • Good morning,

    Thanks for your reply.

    I have already used the tracert and the traffic stops in the ip address of internal interface of the firewall.

    We have a free access to other end (palo alto).
    I already turned on the logging on the policies which allow BOVPN packets ( out and in traffic ) and the traffic goes through the BOVPN policies.

    For more information i have in my side 2 firewalls M400 with firecluster active-passive.

    Thanks.
    Regards.
  • Time for a support incident

Sign In to comment.