BOVPN Randomly Dropping

I have a client that has two locations. The main location has a M290 and Spectrum Business and the secondary location has a T35 and Spectrum Business. The BOVPN will randomly drop, and I have to reboot the M290 for the tunnel to connect again. Rebooting the T35 does not restore the tunnel. I contacted WG support, and they said to reboot the Spectrum modem and not the firewall when the BOVPN goes down again. When the tunnel went down last week, I rebooted the Spectrum modem at the main location, and the BOVPN came back up. I called Spectrum support, and they said nothing was wrong with their modem and router. However, Spectrum is going to replace the modem and router today. The Internet works fine at both locations when the BOVPN goes down. Spectrum has a router between the modem and M290 that serves at the gateway. Both locations have a static IP Address on the WAN side of the firewalls. Has anybody run into this issue before?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kwhood67

    Based on what you're saying, the tunnel fails to rekey. There's quite a few reasons this can happen:

    -If one (or both) of the sides have dynamic IPs, and the rekeying side can't reach the other.

    -If there is a config mismatch between the two sides.

    -If there is anything in-between that is touching or modifying the connection, this may cause problems. For example, some ISP devices have an "ESP-ALG" that will attempt to re-write the SPI headers in the IPSEC tunnel. The firewall uses the SPI to identify the tunnel, so this unexpectedly changing or being incorrect can cause issues.

    The logs from your firewalls will provide more information, so if you have a case open with support already, this is probably the best way to move forward.

    -James Carson
    WatchGuard Customer Support

  • James, the tunnel fails to rekey and both firewall have static IP Addresses from Spectrum Business. Watchguard Support has viewed the configs on both firewalls, and we enhanced IKE logging. They found nothing. Spectrum just replaced their modem and gateway today. Why would rebooting just the modem bring the tunnel back? There is a gateway between the firewall and modem.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kwhood67
    If rebooting just the ISP modem brings the tunnel back, that would suggest that something on the ISP device might be causing the problem. I would definitely suggest seeing if the ISP's modem has any kind of interface you can access, and if so, are there any settings like ESP-ALG that might be modifying traffic.

    -James Carson
    WatchGuard Customer Support

  • Hi. I have been facing the same issue on my side for the past 2 months. The WatchGuard already remote and checked the configuration and they didn't find anything wrong on the configuration side. Also, the technician from the ISP side checks the configuration and all looks good. Plus, he changes the modem too. But the issue never solve at all.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @QRA
    I'd suggest replying to the case you already have open and telling the technician you're working with that you're still having the issue -- they can review and/or escalate the case as needed.

    -James Carson
    WatchGuard Customer Support

  • edited December 2023

    Has anyone been able to resolve this issue? I have the same problem between UK(Hyperoptic static IP) and Barbados(Flow Bussiness static IP). Normall internet works but ISP router (Flow, Barbados end) reboot is required for VPN tunels to be able to re-establish. I have asked them about ESP-ALG waiting for their comments.

Sign In to comment.