VPN Tunnel using wrong external interface

Hi - we have an M370 running v12.1. The BOVPN-Allow.out and BOVPN-Allow.in and Ping (only allowed for BOVPN) all have "Use policy-based routing" checked and the interface I need them to go out on is selected. When I look in the logs, I see traffic going out over the VPN using the wrong external interface. I don't understand how this can be. I'm clearly missing something but I don't know what. Anybody have an idea on what else I can check? Thanks in advance for any help.


  • Options

    What interface is specified in your BOVPN Gateway setup ?

  • Options

    The one I need it to go out from. My Gateway IP is also an IP from that interface.

  • Options

    Is this for a standard BOVPN or a virtual BOVPN?

    In V12.1, you supposedly need to specify the BOVPN gateway IP addr as the primary IP addr on the external interface, not a secondary one.

    From the docs:
    "In Fireware v12.2 or higher, you can specify a secondary interface IP address as a gateway endpoint. By default, the primary IP address configured on the external interface you specify is used."
    Not sure if the 2nd sentence is correct or not. Seems like this was an issue in some previous releases from some comments on the old Forum.

    If you are not using the primary, try changing it.

    Also what do you see for the following? Do they help to explain this issue?
    . VPN connection in Firebox System Manager -> Front Panel -> Branch Office VPN Tunnels
    . Web UI -> System Status -> VPN Statistics -> Branch Office VPNs -> Gateways ?
    Logging should show which interface is being used for the BOVPN.

    These should also show what interface is being used for the BOVPN.
    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

    Also, consider rebooting your firewall and see if that changes anything.

Sign In to comment.