BOVPN problem

Good evening,

we have enabled a site to site tunnel (branch office gateway), everything seems to work except for https proxy, as soon as I activate the policy even without DPI my firebox no longer reaches any site.



  • What is in your From: and To: fields on the HTTPS proxy policy?

    What is the order number of this policy?

    Is this a standard BOVPN or one that uses BOVPN Virtual interfaces?

    Enable Logging on this policy so that you see Allow log entries in traffic monitor for traffic allowed by this policy.
    This may help understand the issue.

  • Hi Bruce,

    the HTTPS-proxy policy is in automatic order, from an alias (network ip) to any-external, the BOVPN is standard without virtual interface, logging and debugging on the policy are already activated

  • From what you have said, I see no reason for the results that you see.

    Can you access a site by IP addr? If so, then perhaps it is a DNS issue that is not obvious.

    You must have some other policy which allows HTTP & HTTPS. Is logging enabled on that one too? If so, do you see allowed HTTPS (TCP 443) from that policy when the new HTTPS proxy is enabled?

    If there is nothing in your logs to help understand this, you should open a support case on this.

  • Hi Bruce,

    even with IP you can't open the site, I also thought about the DNS problem, but instead I manage to ping and resolve the site.

    I think it's more a tunnel encapsulation problem, on the other hand we don't have a watchguard but a mikrotik routerboard.

    I've already opened a ticket about it, thanks for now

  • Is this a zero route BOVPN - where all traffic from the remote site goes via the main site firewall?

    If so, which end is the remote site?

  • yes, what do you mean know by remote site end?

  • From which end (Mikrotik or WG) does all traffic go to the other end, and then to the Internet?

    I'm trying to understand exactly what you have set up.
    Seems that I am missing some details...

  • Mikrotik ---> Watchguard

  • edited November 2023

    So, once the HTTPS proxy is added to Fireware, no traffic from the Mikrotik goes to the Internet, other than Ping/tracert?

  • that's right, ping and tracert are ok

  • More details about the alias (network IP) on the HTTPS proxy policy.
    Exactly what is the network IP, including subnet mask.
    Where is this network IP located? On the Microtek or the WG?

  •, located in watchguard

  • is not normally a routable IP addr.
    Please explain this.


  • What subnet(s) are on the Microtek end in your BOVPN setup?

  • edited November 2023
    The same subnet can’t be on both ends without using 1-to-1 NAT settings in the BOVPN Tunnel setting
  • edited November 2023

    Do note that much of the info that you have eventually supplied would have been helpful to know in your initial post.

    Make sure that support know this info as well.

  • Hi Bruce,

    to update, technical support solved the problem, basically they made us enable:

    1) on the extenal port, in the Advanced section, D'ont Fragment (DF) bit Setting for IPSCE from Copy to Clear

    2) inside Globa setting, Networking section, TCP MTU Probing from Disabled to Alway enabled

    Everything seems to have started now, now I'll do 6 more tests but it seems ok.


  • Thanks for the update

Sign In to comment.