VPN Problems with new WG T-Models and Fireware 2025.1.2
Hello,
we got a lot of trouble with the new T145 and Fireware 2025.1.2.
So far we did a lot of tests and every time we have the same problem with the VPN Upload (BOVPN and MUVPN speed.
What we did and tried so far:
1. Took the configuration file from a functional T55 with Fireware 12.11.4. Changed the Firewall model and the Feature Key and imported the configuration to the T145.
-> Problem: Upload speed over VPN very slow. And when I say slow I mean kb/s or no speed!
2. We took the configuration file then from the T145 and did an Import to a M270 with Fireware 12.11.4.
-> No Problem on the M270. Full VPN Speed in upload and download.
3. We reseted the T145 to Factory default and configured a new configuration.
-> Problem: Upload speed over VPN again very slow.
4. We bought a new T145. Configuerd the box this time with Cloud Management. Configured the BOVPN to a Firebox T45 with Fireware 12.11.4.
-> Problem: Upload speed over VPN again very slow.
And we also followed the best Practise Guide from WatchGuard for BOVPN!
Has somebody else BOVPN Upload Problems with the new devices and Fireware 2025.11.2?
Comments
You should open a support case on this to get WG help in understanding & resolving it
already did over two weeks ago.
Still investigating.
But I also want to know if other has dies problem with the new Fireboxes (or only T145) with Firmware 2025.1.2
Watchguard Support helped us in identifying the root cause, which seems to be traffic from a MUVPN Client passing through a HTTP Proxy Policy.
Workaround in this case was to re enable the default MUVPN Policy and put it on top of the list (manual order).
We have not yet had troubles with BOVPN.
how is your Internet connection been established? PPPoE?
WatchGuard gave us the commads
diagnose vpn "/ike/param/set xdo_max_bovpn 0 action now"
and
diagnose vpn "/ike/restart"
and after that I have full BOVPN Speed in Upload.
Those appear to be CLI commands
So finally I can say
the CLI commands solved the Problem.
However the reason is unknown. I hope they found the source problem and fix this in the next fireware.
This is changing a specific mode for BOVPNs. I would not recommend using this command unless you are specifically instructed to do so by WatchGuard Support.
-James Carson
WatchGuard Customer Support
Allright, we have the same problems. Existing tunnel between two WG units,one was replaced by T145 and configuration file imported. Tunnel works for a while but then goes to abysmal speeds. IPv6 over IPv4 (BOVPN interface mode) totally broken, no ping replies anymore after replacing the unit. IPv4, slow.
Made a backup tunnel with two VM appliances and static routes, disabled the WG VPN, enabled the drop routes option in VPN general, all okay, great speeds.
So the report by PTec isn't specific - it's happening on more than one environment.
@james.carson - can you please confirm that this is a known issue with the unit/firmware? Will there be a fix soon? Is the posted workaround OK to use?
I can't make a case at the moment and test as this is a 24/7 production environment and I can't break the current backup tunnel setup.
We have two ordered T145's here at HQ that need to go to customers with BOVPN tunnels, after reading this topic we'll postpone rollout until there is clarity in this issue
to clarify. We had the issue on the new Customer T145 and on our T145 NFR. I tested with different BOVPN Endpoints and different settings.
diagnose vpn "/ike/param/set xdo_max_bovpn 0 action now" just sets the number of allowed VPN tunnels to unlimited, how does that fix the problem? Is there something wrong with the default value?
WG told me, that the command switches from Hardware to Software acceleration.
@SMSTECH I don't have enough information on whatever issue you're running into to determine if you're running into a hardware issue, a bug, or a misconfiguration.
If you're looking for that info, I'd suggest opening a support case. One of our support reps can look into your issue and provide a more complete answer.
-James Carson
WatchGuard Customer Support
@Vuurdoos The command diagnose vpn "/ike/param/set xdo_max_bovpn 0 action now" tells the firebox to disable inline crypto mode. The command does not decrease or disable any BOVPN tunnels on the firebox. Just how they're processed.
-James Carson
WatchGuard Customer Support