BOVPN Traffic Dropped as Unhandled with a VIF Alias

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When a branch office VPN (BOVPN) virtual interface (VIF) configuration uses a VIF alias, the traffic sent through the tunnel can be dropped as Unhandled. This issue occurs because of a known hardware acceleration issue that affects the default BOVPN allow policies.

This issue affects the Firebox T115‑W, T125, and T145 platforms, as well as older T-series and M-series devices that run Fireware v12.x. It most commonly occurs with traffic destined for large address spaces (for example, 10.0.0.0/8), which increases the likelihood that the defect occurs.

Symptoms

When BOVPN traffic fails because the configuration uses a VIF alias, one or more of these symptoms can occur:

• Log messages indicate packets denied as Unhandled. Example:
  Umsg_id="3000-0148" Deny Trusted Internal ... (Unhandled Internal Packet-00)
  
• The BOVPN tunnel establishes, but no traffic passes through the tunnel.
• Traffic destined for remote networks is denied without matching a policy.

Diagnostic Steps

On the Firebox, complete these steps:

1. Verify that the Fireware version installed on the device is Fireware v2026.1 or higher.
   
2. Review the BOVPN configuration and policy usage to verify that traffic relies on the default BOVPN allow policies.
3. Verify that a VIF alias is configured and used for traffic selection.
4. Review traffic and identify any Unhandled packets.

Possible Causes and Solutions

Possible Cause

Solution

A hardware acceleration defect affects default BOVPN allow policies when the configuration uses a VIF alias.

Option 1 Upgrade the Firebox to Fireware v2026.1 or higher. For more information, go to: Locally-Managed: Fireware OS Versions and the Download WatchGuard Software knowledge base article. Cloud-Managed: Manage Fireware Versions for Devices in WatchGuard Cloud Option 2 (Locally-managed Fireboxes only) Disable hardware acceleration. For more information, go to the VIF traffic denied as unhandled when you use default BOVPN allow policies knowledge base article. Review the BOVPN tunnel configuration. For more information, go to Define a Tunnel. Option 3 Older T-series and M-series devices that run Fireware v12.x. For more information, go to the VIF traffic denied as unhandled when you use default BOVPN allow policies knowledge base article.

Related Topics

Manual Branch Office VPN Tunnels

About Firebox Logging and Notification (Locally-managed Fireboxes)

Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)