Monitor and Troubleshoot BOVPN Tunnels
Branch office VPN (BOVPN) tunnels require a reliable connection and the same VPN configuration settings on both VPN endpoints. A configuration error or network connectivity issue can cause problems for branch office VPN tunnels.
Monitor VPN Tunnel Status
To monitor the current status of branch office VPN tunnels from Fireware Web UI, select System Status > VPN Statistics. To see the status and any VPN diagnostic messages if a VPN tunnel connection failed, click a gateway or tunnel. From this page, you can also force a re-key of a VPN tunnel or run the VPN Diagnostic report for a VPN gateway.
For more information about how to monitor the VPN status from Fireware Web UI, see VPN Statistics.
When you are connected to a Firebox, you can monitor the status of branch office VPN tunnels from the Front Panel tab in Firebox System Manager, or the Device Status tab in WatchGuard System Manager. To see the gateway and tunnel status, and any VPN diagnostic messages if a VPN tunnel connection failed, expand the gateway. In Firebox System Manager, to run the VPN Diagnostic Report or force a re-key of all associated tunnels, you can right-click a gateway.
For more information about how to monitor VPN status in Firebox System Manager, see VPN Tunnel Status and Subscription Services.
Use VPN Diagnostic Messages and Reports
To troubleshoot the cause of a branch office VPN tunnel problem, you can:
- Use VPN Diagnostic Messages
- Use the VPN Diagnostic Report
- Use the BOVPN Configuration Reports
- Filter Branch Office VPN Log Messages
If you have confirmed that your branch office VPN endpoints are enabled and that the VPN settings match, and your VPN still does not operate correctly, consider other conditions that can cause problems with a branch office VPN, and actions you can take that could improve the availability of the VPN.
For more information, see Improve Branch Office VPN Tunnel Availability.
Monitor the Responder
When you configure a VPN, the tunnel is not established until the Firebox needs to route traffic through the tunnel. The gateway endpoint that first attempts to route traffic through the tunnel initiates tunnel negotiation. For any branch office VPN negotiation, each gateway endpoint has one of two roles:
- The initiator is the endpoint that starts the tunnel negotiation. It sends phase 1 and phase 2 proposals to the remote endpoint to start the negotiation.
- The responder receives VPN phase 1 and phase 2 proposals and accepts or rejects the proposals, based on whether they match the locally configured settings.
When you troubleshoot a branch office VPN, it is most useful to look at VPN diagnostic messages and run the VPN Diagnostic Report on the responder. Because the responder has information about both the settings proposed by the initiator and the locally configured settings, the VPN diagnostic messages and the VPN Diagnostic Report on the responder provide more complete information.
If the BOVPN uses IKEv2, diagnostic log messages from the responder contain more complete information about settings that do not match. For more information about IKEv2 settings, see Configure IPSec VPN Phase 1 Settings.
To make your Firebox the responder when you monitor tunnel negotiations, you can:
- Get a device on the remote network to attempt to send traffic through the tunnel.
- Ask the administrator of the remote gateway endpoint to force a rekey of the tunnel.
For more information about IPSec VPN negotiations, see About IPSec VPN Negotiations.
About Tunnel Route Limits
It is possible to configure more branch office VPN tunnel routes than the number of active tunnel routes your Firebox can support. A Firebox cannot establish branch office VPN tunnel routes that exceed the maximum number allowed by the license in the feature key. If the device attempts to establish a BOVPN tunnel that would exceed the limit, this message appears in the log file:
License Feature(BOVPN_TUNNEL) enforcement: Reached maximum number of tunnels.
A warning also appears in Firebox System Manager on the Front Panel tab, and in Fireware Web UI on the System Status > VPN Statistics page.
For more information about tunnel license limits and warnings, see VPN Tunnel Capacity and Licensing.
Other Troubleshooting Tools
If you cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.