BOVPN Virtual Interface Tunnel Does Not Establish Between Fireboxes

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

A branch office VPN (BOVPN) that uses a virtual interface (VIF) can fail to establish when BOVPN settings differ. Because both tunnel endpoints must negotiate identical parameters, even minor discrepancies between settings such as endpoint IP addresses, IKE version, encryption or authentication algorithms, lifetimes, or VPN route definitions can cause IKE negotiation to fail. When the Fireboxes cannot agree on these settings, security associations (SAs) do not establish, and the tunnel does not form.

Symptoms

A BOVPN virtual interface tunnel failure between Fireboxes might present these symptoms:

• The tunnel status shows Down or Error.
• Phase 1 or Phase 2 security associations (SAs) do not establish.
• Traffic does not enter the tunnel.
• Firebox log messages indicate IKE negotiation or gateway communication failures. Example:
  • IKE Phase 1 retry timeout
  • No response from remote gateway

Diagnostic Steps

On each BOVPN endpoint, complete these steps:

1. Verify that the settings for gateway endpoints, Phase 1 and 2 proposals, and routing settings are the same on both sides of the tunnel.
2. Review BOVPN status and IKE-related log messages.

Possible Causes and Solutions

Possible Cause	Solution
Gateway endpoint definitions do not align.	Configure local and remote gateway endpoint definitions on both Fireboxes. For more information, go to: Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes
Phase 1 settings differ between tunnel endpoints.	Align the IKE version, Diffie-Hellman group, and SA lifetime settings on both Fireboxes. For more information, go to: Locally-Managed: Configure Phase 1 and Phase 2 Settings Cloud-Managed: Configure BOVPN Security Settings
Phase 2 settings differ between tunnel endpoints.	Align the Phase 2 encryption settings on both Fireboxes. For more information, go to: Locally-Managed: Configure Phase 1 and Phase 2 Settings Cloud-Managed: Configure BOVPN Security Settings
Routing settings differ between endpoints.	Configure and align gateway routes. For more information, go to: Locally-Managed: Routes and Routing Cloud-Managed: About Static Routes and Dynamic Routing

Related Topics

Manual Branch Office VPN Tunnels

About Firebox Logging and Notification (Locally-managed Fireboxes)

Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)