BOVPN Randomly Dropping

kwhood67kwhood67
in Firebox - VPN Branch Office

I have a client that has two locations. The main location has a M290 and Spectrum Business and the secondary location has a T35 and Spectrum Business. The BOVPN will randomly drop, and I have to reboot the M290 for the tunnel to connect again. Rebooting the T35 does not restore the tunnel. I contacted WG support, and they said to reboot the Spectrum modem and not the firewall when the BOVPN goes down again. When the tunnel went down last week, I rebooted the Spectrum modem at the main location, and the BOVPN came back up. I called Spectrum support, and they said nothing was wrong with their modem and router. However, Spectrum is going to replace the modem and router today. The Internet works fine at both locations when the BOVPN goes down. Spectrum has a router between the modem and M290 that serves at the gateway. Both locations have a static IP Address on the WAN side of the firewalls. Has anybody run into this issue before?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kwhood67

    Based on what you're saying, the tunnel fails to rekey. There's quite a few reasons this can happen:

    -If one (or both) of the sides have dynamic IPs, and the rekeying side can't reach the other.

    -If there is a config mismatch between the two sides.

    -If there is anything in-between that is touching or modifying the connection, this may cause problems. For example, some ISP devices have an "ESP-ALG" that will attempt to re-write the SPI headers in the IPSEC tunnel. The firewall uses the SPI to identify the tunnel, so this unexpectedly changing or being incorrect can cause issues.

    The logs from your firewalls will provide more information, so if you have a case open with support already, this is probably the best way to move forward.

    -James Carson
    WatchGuard Customer Support

  • kwhood67kwhood67

    James, the tunnel fails to rekey and both firewall have static IP Addresses from Spectrum Business. Watchguard Support has viewed the configs on both firewalls, and we enhanced IKE logging. They found nothing. Spectrum just replaced their modem and gateway today. Why would rebooting just the modem bring the tunnel back? There is a gateway between the firewall and modem.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kwhood67
    If rebooting just the ISP modem brings the tunnel back, that would suggest that something on the ISP device might be causing the problem. I would definitely suggest seeing if the ISP's modem has any kind of interface you can access, and if so, are there any settings like ESP-ALG that might be modifying traffic.

    -James Carson
    WatchGuard Customer Support

  • QRAQRA

    Hi. I have been facing the same issue on my side for the past 2 months. The WatchGuard already remote and checked the configuration and they didn't find anything wrong on the configuration side. Also, the technician from the ISP side checks the configuration and all looks good. Plus, he changes the modem too. But the issue never solve at all.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @QRA
    I'd suggest replying to the case you already have open and telling the technician you're working with that you're still having the issue -- they can review and/or escalate the case as needed.

    -James Carson
    WatchGuard Customer Support

  • ArekArek
    edited December 2023

    Has anyone been able to resolve this issue? I have the same problem between UK(Hyperoptic static IP) and Barbados(Flow Bussiness static IP). Normall internet works but ISP router (Flow, Barbados end) reboot is required for VPN tunels to be able to re-establish. I have asked them about ESP-ALG waiting for their comments.

  • MustangCMustangC

    I know this thread is old, but I have no other way to keep pressuring WatchGuard to fix this issue. I have been battling this same issue for about two years now. I have worked with WatchGuard about 5 times for hours when it happens to try and solve this issue. Needless to say the BOVPNs need to be up so spending time trouble shooting the issue is almost impossible. The configuration I have is two BOVPNs between an M270 to two T35s. Only the main location has a static IP. ISP is Spectrum and a little local company with long range wireless at one location. Both BOVPNs will randomly go down at the same time. A reboot of the M270 always fixes the issue. A reboot of Spectrum's cable modem where the M270 is located will sometimes fix the problem. I have dug through the logs numerous times and it looks like something is reaching a count limit within the WatchGuard at 65,535 and then apparently cannot continue on. This would coincide with a 16 bit register size, so some sort of memory or log limitation getting filled up. I do believe this is a bug within WatchGuard's firmware.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MustangC

    Do you have an existing case number I can look into?

    The WatchGuard can have traffic counters enabled to force a rekey, but on most modern fireboxes that rekey timer will be set to 8 hours.

    In the case of a BOVPN pair where one side is dynamic, and one side is static, the side with the dynamic IP would be the one that the rekeys and VPN initiation requests should generally come from (as the dynamic side will often be unknown.) Depending on how this is set up, your static side might not be able to reach the dynamic side until an initial tunnel is established.

    Generally setting the rekey timer a bit lower on the dynamic side will prevent the static side from trying to do this, if that is what is happening.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.