We have 2 branch offices using SOHO

[Moffet]

We have 2 branch offices using SOHO boxes (and will be adding more shortly) to connect to our FBII at head office. All are on ADSL connections. The BOVPN connection works fine on one of the SOHOs, but the other one does not. The problem is that these SOHOs are configured exactly the same apart from internal and external IP addresses which makes it hard to pin down what is causing the problem.

At head office, we are using a BT 5861 ADSL router which I have heard have problems passing through multiple IPSec tunnels, is this true? Could this be our problem?

The errors in the logs at the SOHO end say:

2003-10-16-12:46:56 MONITOR rekey caused by packet from 187.155.12.6 port 1065 to 187.150.10.5 port 23 (TCP)
2003-10-16-12:46:56 MONITOR remote gateway (62.49.73.82) dead - force rekey

I tried changing the networking.ipsec.deadtunnel.check value as suggested on the Watchguard forum but that made no difference. This error does vanish with a constant ping through the tunnel so the Keep Alive on the SOHO is obviously not working!


And also:

2003-10-16-12:23:02 MONITOR Quick Mode processing failed
2003-10-16-12:23:02 MONITOR get_ipsec_pref: Unable to find channel info for remote(62.49.73.82)
2003-10-16-12:23:02 MONITOR ACTION - Verify VPN IPSec Policies for 62.49.73.82
2003-10-16-12:23:02 MONITOR WARNING - No Matching IPSec Policy found for 62.49.73.82

The FBII logs say the the peer won't accept the routing policy. The tunnel seems to work but not reliably and consistantly.

Can anyone tell me how to solve this problem? I've seen similar problems posted elsewhere but not really any solutions.

Thanks for any advice.

 

[Moffet]

Oops, sorry. Forgot to put in a subject for this one...

 

[ashleym]

What versions of the firmware are the soho's running? Are these soho 5's or 6's? Do you have support from watchguard? Are the public ip's for the sohos static or dynamic? What version of software is the FB running? I doubt your router is the problem here.

AM

 

[Moffet]

Thanks for your response.

We are using the latest version of the firmware for both the SOHOs and the FBII (v6.2.20 for the SOHOs, v7.0 with the patch applied for the FBII). They are both a SOHO 6tc and use dynamic IP addresses (although as yet they haven't changed!). There is no differences between them whatsoever (although the connections are with different ISPs - one is in the USA and one in the UK) but one works and one doesn't. The connection works a little but is dropping out with the previously mentioned errors in the logs more and more frequently.

I do have Watchguard support but I wasted two of my support incidents before (because I solved my own problem not long after raising the incidents) so want to know I need help from them before raising an incident.

Any ideas?

 

[reepa]

Are you in the UK or USA?

 

[Moffet]

Our head office (with the Firebox II) is in the UK. One of the branch offices is in the US, this one works ok. The other branch office in question is in the UK only a couple of hundred miles from head office, which we are having the problem with.

I'm pretty sure it is not an ADSL problem because internet access from the problem office works fine. I also don't think it is an ISP problem because both the UK sites use the same ISP and VPN is not a problem from head office.

Need any more info?

 

[reepa]

Try giving wickhill a call they are in the uk at Guildford i think, they do not ask if you have an account with them and are really helpful, Contact them on 01483 227600.