Incorrect Gateway Endpoint IP Addresses or Endpoint Order Causes Tunnel Failure

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

A branch office VPN (BOVPN) tunnel can fail if the configured gateway endpoint IP addresses or DNS hostnames are incorrect, unreachable, inconsistent between peers, or defined in a different order on each side of the tunnel. Fireboxes use these gateway definitions during Phase 1 (IKE) negotiation. If the definitions do not match, the devices cannot select a compatible Phase 1 policy, and the tunnel does not establish.

Failover behavior depends on gateway endpoint order. When the configuration includes multiple endpoints, the Firebox treats the first entry as the primary peer and uses the remaining entries for failover. If the endpoint order differs between BOVPN peers, failover can cause the Firebox to negotiate with an unintended gateway, which can lead to intermittent tunnel drops or prevent VPN re-establishment.

Symptoms

When the configured gateway endpoint IP addresses or DNS hostnames are incorrect, a BOVPN tunnel failure typically presents these symptoms:

• The BOVPN tunnel negotiates intermittently.
• Failover does not work as expected.
• Phase 1 (IKE) negotiation fails.
• Log messages indicate that the Firebox could not verify a valid Phase 1 configuration. Example:
  Failed to find phase 1 policy
  

Diagnostic Steps

From each BOVPN endpoint, perform these steps:

1. Verify that the configured local and remote gateway endpoint IP addresses or hostnames are correct.
2. Verify that the endpoint order is identical on both sides of the tunnel.
3. Verify that all configured IP addresses or hostnames resolve correctly and point to the intended VPN gateways.

Possible Causes and Solutions

Possible Cause	Solution
One or more gateway endpoint IP addresses or DNS entries are incorrect.	Update the IP address or hostname so that it points to the intended VPN gateway device. For more information, go to: Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes
The gateway endpoint order is not the same on both sides of the BOVPN tunnel.	Configure the gateway endpoints in the same order on both tunnel endpoints to maintain consistent negotiation and failover behavior. For more information, go to: Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes

Related Topics

Manual Branch Office VPN Tunnels

About Firebox Logging and Notification (Locally-managed Fireboxes)

Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)