Monitor and Troubleshoot BOVPN Tunnels

Branch office VPN (BOVPN) tunnels require a reliable connection and the same VPN configuration settings on both VPN endpoints. A network connectivity issue or configuration error can cause issues.

After you configure a new BOVPN tunnel, verify that it works:

• Send traffic through the tunnel
• Monitor the tunnel status

Send Traffic Through the Tunnel

Your Firebox negotiates a VPN tunnel only when traffic must use the tunnel. To test a new VPN tunnel, you must try to send data to an IP address on the remote network. The VPN tunnel is usually not created until you attempt to send data. The source and destination for the data you send must be allowed by the tunnel route configured for that VPN.

For example, when you ping a device on the remote network, the ping fails if:

• The tunnel is down.
• The source or destination IP address is not allowed by the tunnel route in the VPN configuration.
• The remote device is offline or does not respond to a ping. However, if the remote device is offline or does not respond to a ping, the ping traffic still brings the tunnel up.

Troubleshoot Problems

To troubleshoot a BOVPN, we recommend that you focus on VPN settings, messages, and logs:

1. Verify that the VPN settings are the same on both devices.
   
   For example, verify that the pre-shared keys, Phase 1, and Phase 2 settings are the same on both devices.
2. In the tunnel route settings for both devices, verify that the IP addresses and subnet masks are correct:

• For manual BOVPNs, the local IP address must be the same as the IP address of a local host or network.
• The remote IP address must be the IP address of a host or private network on the remote VPN gateway.
• For BOVPN virtual interfaces, specify a route that exists at the remote site. If you specify a route that does not exist at the remote site, traffic does not pass as expected even if the VPN tunnel establishes.
• The tunnel routes on the two devices should look reversed when viewed side-by-side.

3. View VPN diagnostic messages.
4. Run the VPN diagnostic report.
5. Review the IKE log messages on each device during tunnel negotiation.
6. For a connection that completely times out, try to ping the external interface of the remote device to verify connectivity.
   Make sure the remote device is configured to respond to pings. To enable a Firebox to respond to a ping to the external interface, you must edit the ping policy to allow pings from the Any-External alias.
7. Save a packet capture (.PCAP) file to help you diagnose problems with BOVPN traffic.

For information about how to run diagnostic tasks in Fireware, such as ping and TCP dump, go to:

• Run Diagnostic Tasks on Your Firebox (Fireware Web UI)
• Run Diagnostic Tasks to Learn More About Log Messages (WatchGuard System Manager)

Monitor VPN Tunnel Status

To monitor the current status of branch office VPN tunnels from Fireware Web UI, select System Status > VPN Statistics. To see the status and any VPN diagnostic messages if a VPN tunnel connection failed, click a gateway or tunnel. From this page, you can also force a re-key of a VPN tunnel or run the VPN Diagnostic report for a VPN gateway.

For more information about how to monitor the VPN status from Fireware Web UI, go to VPN Statistics.

When you are connected to a Firebox, you can monitor the status of branch office VPN tunnels from the Front Panel tab in Firebox System Manager, or the Device Status tab in WatchGuard System Manager. To see the gateway and tunnel status, and any VPN diagnostic messages if a VPN tunnel connection failed, expand the gateway. In Firebox System Manager, to run the VPN Diagnostic Report or force a re-key of all associated tunnels, you can right-click a gateway.

For more information about how to monitor VPN status in Firebox System Manager, go to VPN Tunnel Status and Subscription Services.

Use VPN Diagnostic Messages and Reports

To troubleshoot the cause of a branch office VPN tunnel problem, you can:

• Use VPN Diagnostic Messages
• Use the VPN Diagnostic Report
• Use the BOVPN Configuration Reports
• Filter Branch Office VPN Log Messages

If you have confirmed that your branch office VPN endpoints are enabled and that the VPN settings match, and your VPN still does not operate correctly, consider other conditions that can cause problems with a branch office VPN, and actions you can take that could improve the availability of the VPN.

For more information, go to Improve Branch Office VPN (BOVPN) Tunnel Availability.

Monitor the Responder

When you configure a VPN, the tunnel is not established until the Firebox must route traffic through the tunnel. The gateway endpoint that first attempts to route traffic through the tunnel initiates tunnel negotiation. For any branch office VPN negotiation, each gateway endpoint has one of two roles:

• The initiator is the endpoint that starts the tunnel negotiation. It sends phase 1 and phase 2 proposals to the remote endpoint to start the negotiation.
• The responder receives VPN phase 1 and phase 2 proposals and accepts or rejects the proposals, based on whether they are the same as the locally configured settings.

When you troubleshoot a branch office VPN, it is most useful to look at VPN diagnostic messages and run the VPN Diagnostic Report on the responder. Because the responder has information about both the settings proposed by the initiator and the locally configured settings, the VPN diagnostic messages and the VPN Diagnostic Report on the responder provide more complete information.

If the BOVPN uses IKEv2, diagnostic log messages from the responder contain more complete information about settings that do not match. For more information about IKEv2 settings, go to Configure IPSec VPN Phase 1 Settings.

To make your Firebox the responder when you monitor tunnel negotiations, you can:

• Get a device on the remote network to attempt to send traffic through the tunnel.
• Ask the administrator of the remote gateway endpoint to force a rekey of the tunnel.

For more information about IPSec VPN negotiations, go to About IPSec VPN Negotiations.

About Tunnel Route Limits

It is possible to configure more branch office VPN tunnel routes than the number of active tunnel routes your Firebox can support. A Firebox cannot establish branch office VPN tunnel routes that exceed the maximum number allowed by the license in the feature key. If the device attempts to establish a BOVPN tunnel that would exceed the limit, this message appears in the log file:

 License Feature(BOVPN_TUNNEL) enforcement: Reached maximum number of tunnels. 

A warning also appears in Firebox System Manager on the Front Panel tab, and in Fireware Web UI on the System Status > VPN Statistics page.

For more information about tunnel license limits and warnings, go to VPN Tunnel Capacity and Licensing.

Other Troubleshooting Tools

To learn more about BOVPN troubleshooting, go to the BOVPN Troubleshooting video tutorial (12 minutes).

To learn how to optimize BOVPN performance, go to the Optimize BOVPN Performance video tutorial (10 minutes)

If you cannot connect to network resources through an established VPN tunnel, go to Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.