Improve Branch Office VPN (BOVPN) Tunnel Availability

In most cases, BOVPN tunnels are available to pass traffic at all times. If you notice an availability issue, even though all configuration settings are correct, one of these factors might be the cause:

  • Unreliable external connection — One or both BOVPN endpoints might have external connections with high latency, high packet fragmentation, and high packet loss, which can make a connection unreliable. These factors have a greater impact on BOVPN traffic than on other common traffic, like HTTP and SMTP. With BOVPN traffic, the encrypted packets must arrive at the destination endpoint, be decrypted, and then reassembled before the unencrypted traffic can be routed to the destination IP address.
  • Older WatchGuard endpoint and software — We conduct compatibility tests between new WatchGuard products and older devices by using the latest software available for older devices. With older software, issues might exist that we fixed in more recent software releases.
  • Third-party endpoint — Because Fireboxes are based on the IPSec standard, they are compatible with most third-party endpoints. However, some third-party endpoint devices are not IPSec-compliant because of software problems or proprietary settings.
  • Low or no traffic — If there is a low volume of traffic through an IPSec tunnel, or if there are long periods of time when no traffic goes through the tunnel, the Firebox and most third-party endpoints intentionally tear down the VPN connection. This is done to avoid brute force attacks between automatic rekeys. When traffic tries to flow through the tunnel again, the tunnel is rebuilt and rekeyed.

If BOVPN availability issues continue after you Upgrade Fireware OS, try these options:

Related Topics

Monitor and Troubleshoot BOVPN Tunnels

Manual Branch Office VPN Tunnels