BOVPN tunnel issue

krstffrcrvntskrstffrcrvnts
in Firebox - Other

Hi everyone!!

Were having issue regarding client's BOVPN setup. The client has a BOVPN gateway successfully established, and one tunnel is up and functioning. However, when attempting to add a specific host-to-host tunnel, the tunnel remains inactive, displaying the following error message:

"Message retry timeout. Check the connection between local and remote gateway endpoints."

We have already tried re-keying the tunnel, but the issue persists.

Comments

  • krstffrcrvntskrstffrcrvnts

  • krstffrcrvntskrstffrcrvnts

    172.168.46.80 tunnel is up and working.
    But unfortunately, adding 172.168.46.41 and 172.168.46.138 tunnel wont up. Here is the configuration on the remote side.

  • Bruce_BriggsBruce_Briggs

    What is the device on the remote end?

    Any logs on the remote end to help understand this?

    You can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    Set the slider to Information or higher

    In the Web UI: System -> Diagnostic Log -> VPN -> SSL.
    Click the down arrow and select Information

    Also, here is this option which may show something to help:
    . Web UI -> System Status -> VPN Statistics, click the Debug button
    . FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Message retry timeout means that the firebox is attempting to start the tunnel, and the distant end is not responding.

    This can be due to a misconfiguration (perhaps an IP address is wrong) or may be due to the traffic being mis-routed or dropped.

    I would suggest checking the distant end to see if you're receiving these messages on that firewall, and if it is responding.

    -James Carson
    WatchGuard Customer Support

  • krstffrcrvntskrstffrcrvnts

    Hi @Bruce_Briggs, Fortigate is the device on the remote end. As per their admin all configuration is the same with the tunnel (192.168.46.80) which is currently up and working.

    Only error I can see is that error message "Check the connection between local and remote gateway endpoints."

  • krstffrcrvntskrstffrcrvnts

    @james.carson said:
    Message retry timeout means that the firebox is attempting to start the tunnel, and the distant end is not responding.

    This can be due to a misconfiguration (perhaps an IP address is wrong) or may be due to the traffic being mis-routed or dropped.

    I would suggest checking the distant end to see if you're receiving these messages on that firewall, and if it is responding.

    Noted on this. thank you and we will update you in the progress.

  • krstffrcrvntskrstffrcrvnts

    As of now, watchguard support recommended us to upgrade the firmware of the watchguard device that is running 12.5. We will update you if issue persist after upgrading. The firmware upgrade is scheduled on November 5, 2024.

    Thank you

  • Bruce_BriggsBruce_Briggs
    edited October 30

    V12.5 ?
    The latest version for a M470 is v12.10.4 Update 2

Sign In to comment.