BOVPN Virtual Interface IP Address Mismatch or Overlap

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

Traffic might not pass through branch office VPN (BOVPN) tunnels when virtual interface (VIF) IP addresses differ between tunnel endpoints or overlap with existing internal networks. Incorrect or overlapping VIF IP addresses can trigger IP spoofing protection so traffic cannot pass correctly through the tunnel.

Symptoms

When a BOVPN virtual interface IP address mismatch or overlap occurs, you might notice one or more of these symptoms:

• IP spoofing errors.
• One-way traffic across the BOVPN tunnel.
• Intermittent or dropped traffic through the tunnel.
• Log messages indicate that the Firebox dropped traffic because the source IP address differs from the expected virtual interface network. Example:
  ip spoofing attack
  

Diagnostic Steps

On each BOVPN endpoint, complete these steps:

1. Compare the configured BOVPN virtual interface IP addresses on both sides of the tunnel.
2. Verify that the VIF IP addresses use the same transit network.
3. Verify that the VIF network does not overlap with internal or routed networks.

In general, each VIF must use a unique pair of virtual IP addresses. In some supported designs, however, you can reuse the same local virtual IP address on multiple VIFs. This is most commonly done on a hub device in a hub‑and‑spoke BOVPN deployment that uses dynamic routing.

Possible Causes and Solutions

Possible Cause	Solution
The virtual interface IP addresses do not match on both sides of the BOVPN tunnel.	Configure the same virtual interface IP addresses on both tunnel endpoints. Locally-Managed: Configure BOVPN Virtual Interface IP Addresses Cloud-Managed: Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint
The virtual interface transit network overlaps with an internal or routed network.	Select a dedicated, non‑overlapping transit network for the BOVPN virtual interface. Locally-Managed: Routes and Routing Cloud-Managed: About Static Routes and Dynamic Routing

Related Topics

Manual Branch Office VPN Tunnels

About Firebox Logging and Notification (Locally-managed Fireboxes)

Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)