INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...I've learned more from your forums in 3 days than 3 months at school and on the job combined..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > MIS/IT > Security Solutions > WatchGuard solutions Forum

X750 to Zywall 35 VPN Issues

Read More Threads Like This One

SkreeM (IS/IT--Management)

21 Oct 11 10:18

Hi All,

We have an x750 at the center of our network and assorted little firewalls at our branch offices, all had been working well until this week when we got issues reported with one site, they have a zywall 35 down the end of an ADSL line.

We have doen some testing and...

From our lan to the external IP of the site - no packet loss
From External Site to External IP of our site - no packet loss
from our site to internal ip of their firewall approx 25% loss
from their site to internal ip of our firewall approx 25% loss

All these tests have been done with just the ping utility. Path ping on the internal IP's shows the same amount of loss at the final hop each way only.

So far we have tried rebooting the firewalls at both ends, and have removed and re-created the VPN tunnel at both ends. we have also tried using different proposals for phases 1 and 2 of the VPN. there has been no difference.

Any further advice that can be given would be most helpful

Thanks In advance

SkreeM

tpit (MIS)

21 Oct 11 10:47

Hello SkreeM,

In your BoVPN tunnel gateways you will need to use the primary IP's of both sites. So, when you have 2 or more routable public addresses on both your Watchguard and your Zywall. You will still need to tunnel between their respective primairy addresses.

If you are already tunneling through their respective public IP's, I suggest you trace the connection with a ICMP policy set to log traffic even on succesful pings.

If you want me to assist. Just reply.

Regards,
Tommie

_________________________________
It works! But how?
VoiceByte System Engineer

SkreeM (IS/IT--Management)

21 Oct 11 11:16

Hi Tommie,

Each of our tunnels is set to use the primary IP on each end. How would i go about setting up the trace with the icmp logging?

What i really don't get is why it has suddenly stopped working, it's been fine for at least a year, and suddenly this. no changes were made to firewall policy this week, but it stopped working at lunchtime on wednesday.

Skr

tpit (MIS)

21 Oct 11 12:00

Hey SkreeM,

You can set the policy for ICMP (usually exists in standard config) to log successful packets. Through it's second tab in WSM.

I've had similar problems and issues with BoVPN tunnels to a Fortigate. What does your IKED logging say? Are all hops in tact? You can trace the route with MTR (unix) or tracert (windows) to see what hops are at work... Though this will not work in a tunnel, so trace from pub ip to pub ip.

Regards,
Tommie

_________________________________
It works! But how?
VoiceByte System Engineer

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To WatchGuard solutions