BOVPN Rekey - Should you see packetloss?

Ben_GBen_G
in Firebox - VPN Branch Office

Hi,
Maybe a quick one, when a BOVPN rekeys, after the 24 hour key expiry, is it normal to see packet loss?
Have seen this occur between different multiple watchguards (T40's, M270's, M470's) using IKEv2, our Nagios XI monitoring fires off a heap of notifications.

It's been going on for quite a while but usually we manually rekey once, afterhours (i.e. 10pm) when notifications are not occurring so it's not a big issue.

However, if we do experience a network issue on a Saturday/Sunday or any other time and the BOVPN has to rekey, whatever time it rekeys will be the reoccurring period 24 hours later. If it's during Business hours we see an impact.

Has anyone else experienced this?

Regards,
Ben

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Ben_G

    When the firewall rekeys there may be a blip in your network traffic while that happens. The firewall will attempt to rekey before the tunnel goes down in order to minimize this -- but if you happen to be sending more traffic than the firewall can buffer you may see dropped traffic.

    The only real workaround for this is to adjust your SA life and rekey times so that the tunnel only rekeys during low usage times (as you've done.) I wouldn't suggest setting a rekey time or SA life over 24 hours.

    -James Carson
    WatchGuard Customer Support

  • Ben_GBen_G

    @james.carson said:
    Hi @Ben_G

    When the firewall rekeys there may be a blip in your network traffic while that happens. The firewall will attempt to rekey before the tunnel goes down in order to minimize this -- but if you happen to be sending more traffic than the firewall can buffer you may see dropped traffic.

    The only real workaround for this is to adjust your SA life and rekey times so that the tunnel only rekeys during low usage times (as you've done.) I wouldn't suggest setting a rekey time or SA life over 24 hours.

    Hi James, Thanks for the response.

    How much traffic can be buffered by the firewall? The main issue we have is on a BOVPN between a M470 and M270 which isn't high bandwidth, its mainly SIP, RDP, LDAP, not really bandwidth intensive traffic.

    Unfortunately, the network drop is much longer than a blip (1-2 seconds) as our monitoring (Nagios XI) is notifying of an outage every time and the way it's setup it only does this if a there's packet loss > 80% over a 3 minute period (it checks every minute, 3 times, if a problem is detected, before sending out a notification).

    I'll try and run a ping plotter over the period it's dropping to find out exactly how long the packet loss is occurring for, but it's definitely much longer than a blip.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Ben_G it depends on available memory on the firewall (as far as I'm aware.) I'd suggest opening a support case if it's causing problems -- our support reps can help to see if there is any way to reduce it or see if the firewall is acting abnormally.

    You can create a support case via the support center button at the top right of this page.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.