Run a BOVPN Diagnostic Report for a Firebox or FireCluster

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

The BOVPN Diagnostic Report contains information that can help you troubleshoot BOVPN connectivity and routing issues. You can run this report while you send traffic through the tunnel to identify BOVPN issues. For some types of issues, the report contains information about how to resolve the issue.

Run a BOVPN Diagnostic Report

You can run the BOVPN diagnostic report from WatchGuard Cloud or from Fireware Web UI. For information about how to run this report from Fireware Web UI, see Run a VPN Diagnostic Report on a Cloud-Managed Firebox.

To run the BOVPN Diagnostic Report, from WatchGuard Cloud:

  1. Select Monitor > Devices.
  2. Select a Firebox.
    The Device Summary page for the selected Firebox opens.
  3. Select Live Status > VPN.
    The VPN page opens.

Screen shot of the VPN page with an inactive VPN

  1. Select Branch Office VPN.
  2. Click the name of the BOVPN you want to troubleshoot.
    The Branch Office VPN details page opens. An error message might appear that indicates an issue.

Screen shot of details for an inactive BOVPN, with an error message

  1. To run the BOVPN diagnostic report, click Debug.

Screen shot of the VPN diagnostic report

  1. Review the content of the report as described in the next section.

To open live status in a new window, click in the upper, right corner of the WatchGuard Cloud window.

BOVPN Diagnostic Report Details

The BOVPN Diagnostic Report includes information about the BOVPN configuration and the status of any active tunnels for the selected gateway.

The BOVPN Diagnostic Report includes these sections:


This is the complete report summary and can include information about actions you can take to resolve any issues identified by the report. For each tunnel route, the report shows whether the tunnel route was established, whether traffic was detected after the report started, and error messages related to the tunnel. Some error messages include information about what you can do to correct a problem with the BOVPN tunnel.

Gateway Summary

This is a summary of the gateway configuration and each configured gateway endpoint.

Tunnel Summary

This is a summary of the tunnel configuration for all tunnels that use the selected gateway. This includes both active and inactive tunnels.

Run-time Info (bvpn routes)

This section appears only when you run the diagnostic report for a branch office VPN virtual interface. It includes the static and dynamic routes that use the BOVPN virtual interface and the distance for each route. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.

Run-time Info (gateway IKE_SA)

The status of the IKE (Phase 1) security association for the gateway.

Run-time Info (tunnel IPSEC_SA)

The status of the IPSec tunnel (Phase 2) security association for active tunnels that use the gateway.

Run-time Info (tunnel IPSec_SP)

The status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the gateway.

Address Pairs in Firewalld

The status of the address pairs for each tunnel. This section does not appear when you run the report for a branch office VPN virtual interface or for a BOVPN on a cloud-managed Firebox.

Policy checker result

The policies that manage inbound and outbound traffic for each tunnel route.

Related Logs

If tunnel negotiation occurs while the Diagnostic Report runs, the tunnel negotiation log messages appear in this section. If the remote device attempts to negotiate or rekey the tunnel while the report runs, the log messages that appear in this section include more informative details.

Related Topics

About WatchGuard Cloud

Recover the Firebox Connection to WatchGuard Cloud

About Mobile VPN for a Cloud-Managed Firebox