IKEv2 VPN Keeps Disconnecting

Peter_TPeter_T
in Firebox - VPN Mobile User

Model: T70
Version: 12.5.9.B6555924

Colleagues report that their VPN connection to office experience frequent disconnection (e.g. after 3 minutes of connection), regardless of timeout settings (and it has already been set to 5+ hours).

IKEv2 is used in VPN.

They use Windows 10-11 and installed VPN Profile in their in-built Windows VPN Connection Settings.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Peter_T
    I'd suggest starting by upgrading your firewall to the latest version of Fireware. There are multiple fixes between 12.5.9 and 12.10.4 that fix various performance issues related to both the SSLVPN and IKEv2 VPN.

    You can find the latest software for the T70 here:
    (Software for Firebox T70)
    https://software.watchguard.com/SoftwareDownloads?current=true&familyId=a2R2A000002EW9zUAG

    You should at minimum check your firewall for the presence of Cyclops Blink and upgrade your device to 12.7.2 update 2. You can do this even if you do not have an active support contract for this firewall.

    See: https://detection.watchguard.com/

    -James Carson
    WatchGuard Customer Support

  • Peter_TPeter_T

    Good morning @james.carson

    I would like to know how Cyclops Blink affects the VPN connection.
    Thank you.

  • Bruce_BriggsBruce_Briggs

    It probably doesn't.

    Any WG firewall which is running a version prior to 12.7.2 update 2, should be checked to see if it has the Cyclops Blink infection.
    If so, then do the remediation and upgrade at a minimum to the free 12.7.2 update 2 version which prevents a future Cyclops Blink infection.
    If not, then upgrade at a minimum to the free 12.7.2 update 2 version.

  • Bruce_BriggsBruce_Briggs

    Fixes related to the IKEv2 client connection since V12.5.9:
    . V12.10.4 - This release resolves an issue that caused Mobile VPN with IKEv2 Phase 1 rekeys to reset user authentication session timeouts for connections authenticated with RADIUS. [FBX-27193]
    . V12.9.2 - This release resolves a Host Sensor enforcement issue for groups with Mobile VPN with SSL and Mobile VPN with IKEv2. [FBX-21799]
    . V12.8 Update 1 - This release resolves a Mobile VPN with IKEv2 Dead Peer Detection (DPD) stability issue. [FBX-23104]
    . V12.6.2 Mobile VPN with IKEv2 user sessions are now cleared correctly if there are no matching phase 1 SAs for the user. [FBX-19890]

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Peter_T
    Cyclops Blink isn't related to your issue. I'm required to mention it if I see a customer running a vulnerable version.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.