bovpn tunnel suddenly broken; cannot repair
I have a model t50 and t35w that have had a functioning vpn tunnel for over 3 years...never missed moment. Earlier this week, the tunnel went down. I have worked and worked, double and triple-checked my settings; deleted and re-made the gateways and tunnels, and i simply canNOT get the connection established.
most recent error: authentication failure due to mismatched ID
other errors(depending on if i configure 'main' or aggressive): Received invalid main mode id payload
I actually made a bovpn connection from MY site to both of those sites with no difficulty!?
Any thoughts appreciated and thanks in advance,
Sign In to comment.
If you have a current LiveSecurity License on one of these endpoints, consider opening a support incident.
For the record, what XTM version is on each endpoint?
Does either/both firewalls have a static IP addr? If both, Main mode is preferred.
Not sure if you have done this -
You can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you may see something to help understand this.
1) Web UI -> System Status -> VPN Statistics, click the Debug button
2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab
Perhaps we can help if you post some of the logs related to the connection attempts.
As a last resort, you could change to have the connections between the 2 site go via your site - hub & spoke concept - since you can create a BOVPN to both sites successfully.
Thank you Bruce,
I captured the vpn diagnostic logs...I'll try and post them tomorrow.
Unfortunately, I inherited this client...both devices in the mid-11's on xtm version and prior support did not renew livesecurity.
I thought about hub and spoke, but unfortunately my internal ip scheme matches one of the sites...what luck, eh?
You can use 1-to-1 NAT on a BOVPN Tunnel setting to address the internal subnet scheme issue.
Use 1-to-1 NAT Through a Branch Office VPN Tunnel