WatchGuard BOVPN to Azure Gateway
Hi All
Has anyone had any issues with WatchGuard 12.8 and Azure VPN tunnels just not working correctly. These all worked fine on 12.7.2. We have some sites using the "Old way" of doing this, so NOT using the BOVPN Virtual Interface and these have been dropping like mad on 12.8. Roll it back to 12.7.2 and it's all fine.
However we have also noticed that if we then use the BOVPN Virtual interface VPN to Azure Gateway, it does not seem to correctly pass traffic. It breaks domain logins as servers are in Azure. Breaks SSL VPN as can't authenticate. It's like traffic does not route down the BOVPN, even though there is a route etc. Then swap back to the Legacy BOVPN way and it all works fine.
0
Sign In to comment.
Comments
Others have commented about issues with BOVPN to AWS and BOVPN packet loss in V12.8. I have not seen any for Azure
BOVPN Failing to AWS since upgrade to 12.8
https://community.watchguard.com/watchguard-community/discussion/2500/bovpn-failing-to-aws-since-upgrade-to-12-8
Upgrade to 12.8 creates packet loss
https://community.watchguard.com/watchguard-community/discussion/2509/upgrade-to-12-8-creates-packet-loss
Hi @ThePixelPanic
If you haven't already done so, I'd suggest opening a support case -- there's a lot of moving parts here and it'd be helpful to see the logs.
Azure generally works better with a Virtual Interface (especially if you're running multiple subnets, as it'll generally prefers one tunnel vice the multiple it'll build for each route.)
In order to help with the routes, we'd need to see logs from the firewall to see where (if anywhere) it's trying to send that traffic.
-James Carson
WatchGuard Customer Support
We are experiencing a very similar issue with one site to site tunnel to a cisco appliance on the remote side from our data center. Ever since upgrading to the 12.8 firmware on 4-2-2022 (the only change made) this particular tunnel will work normally for a random amount of time and just stop passing traffic after 30 minutes to several hours later. All of our other tunnels on this same hardware are working normally and passing traffic without any issues (mainly watchguard appliances on the end of the other tunnels). We do have a ticket open currently and are working to try and get this resolved with Watchguard support now, but suspect we may need to roll back to 12.7.2 until it is resolved. This tunnel worked fine without any issues for a very long time on the previous firmware version(s). Not azure in this case but I recall with some azure tunnels setup in the past some reference to Cisco so it made me wonder if perhaps those azure tunnels might be impacted due to the hardware on the azure side of the tunnel maybe.
@LeeJohnson
If you turn debug logning way up for ike, does the logs say anything usefull?
/Robert
We only use BOVPN tunnels between WatchGuard devices but we experience stability problems. Support asked to change IKEv2 to IKEv1. I know that's a problem if you can't manage all the settings. It seems to do the trick for know.
We are having the same issue with BOVPN's unto Azure. We have 5 x M270's, a couple of M370's 1 load of T15/T20's in our estate and a good number of T40's. The T40's are the only one's exhibiting the issue so far. All these units were fine before the upgrade to 12.8. They are using IKEV2 as this is what's recommended for Azure.
@SMSystems
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000O6woSAC&lang=en_US
RV, thanks for linking this. I'd rather not tear down a load of Azure VPN's which are using the recommended IKEV2 but am grateful for you input.
For now to get a stable vpn connection you have to change to ikeV1 until WG releases a fix for the ikeV2 issue.
Unfortunately IKEV1 isn't possible with most of our Azure setups, has anyone had any comms from WG with a lead time for the fix?
If you're running into VPN stability issues with 12.8, I'd suggest looking at 12.8 U1 over at https://software.watchguard.com/ --
Two issues were fixed with regards to IKEv2 in that release.
-This release resolves an issue with the assignment of DNS Servers to Mobile VPN with IKEv2 clients. [FBX-23036]
-This release resolves a Mobile VPN with IKEv2 Dead Peer Detection (DPD) stability issue. [FBX-23104]
https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_8/index.html#Fireware/en-US/resolved_issues.html
-James Carson
WatchGuard Customer Support
I'll join the convo here, I'm running 12.8 (Build 659436) in a active passive firecluster. I have BOVPN setup connected to a cisco firepower and i'm seeing pings drop every so often.
I was on 12.8 (Build 657104) and that's when i noticed the issue, i upgraded to 12.8 (Build 659436) and i still see pings dropping.
@Kamikaze
If you're still seeing traffic drop, I'd suggest a support case -- if you ran the patch you're likely running into a different issue.
-James Carson
WatchGuard Customer Support
fyi 12.8.1 has been stable since we installed on 1 X T40 and 1 X M270 this morning. Will be rolling out to a handful of 370s, and a bunch more T40/20/15's throughout the next few days.
@james.carson
What patch? Is there some special patch beyond the 12.8 (Build 659436)?
Update: I see it now Fireware 12.8 Update 1
@Kamikaze 12.8 Update 1 (B659436) is the updated patch.
-James Carson
WatchGuard Customer Support
@james.carsonokay i yes i have been running that and i still have the packet loss
Then you should open a support case on this
@Bruce_Briggs I have one open already
Whilst not an Azure VPN issue, we had been experiencing IKEv2 BOVPN drops (to a third party) with the 12.8 update, this has been resolved for us since applying 12.8 update 1.