Contents

Related Topics

Improve Branch Office VPN Tunnel Availability

There are Branch Office VPN (BOVPN) installations in which all the settings are correct, but BOVPN connections do not always operate correctly. You can use the information below to help you troubleshoot your BOVPN tunnel availability problems. These procedures do not improve general BOVPN tunnel performance.

Most BOVPN tunnels remain available to pass traffic at all times. Problems are often associated with one or more of these three conditions:

  • One or both endpoints have unreliable external connections. High latency, high packet fragmentation, and high packet loss can make a connection unreliable. These factors have a greater impact on BOVPN traffic than on other common traffic, like HTTP and SMTP. With BOVPN traffic, the encrypted packets must arrive at the destination endpoint, be decrypted, and then reassembled before the unencrypted traffic can be routed to the destination IP address.
  • One endpoint is not a Firebox, or is an older Firebox or XTM device with older system software. Compatibility tests between new WatchGuard products and older devices are done with the latest software available for older devices. With older software, you could have problems that have been fixed in the latest software release.
    Because they are based on the IPSec standard, Firebox and XTM devices are compatible with most third-party endpoints. However, some third-party endpoint devices are not IPSec-compliant because of software problems or proprietary settings.
  • If there is a low volume of traffic through the tunnel, or if there are long periods of time when no traffic goes through the tunnel, some endpoints terminate the VPN connection. Fireboxes that run Fireware, and Firebox X Edge devices do not do this. Some third-party devices use this condition as a way to terminate tunnels that seem to be dead.

You can install the latest operating system software on all Fireboxes, but all of the other conditions in this list are out of your control. You can, however, take certain actions to improve the availability of the branch office VPN.

Select Either IKE Keep-alive or Dead Peer Detection (not both)Closed

Both IKE Keep-alive and Dead Peer Detection settings can show when a tunnel is disconnected. When they find the tunnel has disconnected, they start a new Phase 1 negotiation. If you select both IKE Keep-alive and Dead Peer Detection, the Phase 1 renegotiation that one starts can cause the other to identify the tunnel as disconnected and start a second Phase 1 negotiation. Each Phase 1 negotiation stops all tunnel traffic until the tunnel has been negotiated. To improve tunnel stability, select either IKE Keep-alive or Dead Peer Detection. Do not select both.

The IKE Keep-alive setting is used only by Fireboxes. Do not use it if the remote endpoint is a third-party IPSec device.

When you enable IKE Keep-alive, the Firebox sends a message to the remote gateway device at a regular interval and waits for a response. Message interval determines how often a message is sent. Max Failures is how many times the remote gateway device can fail to respond before the Firebox tries to renegotiate the Phase 1 connection.

Dead Peer Detection is an industry standard that is used by most IPSec devices. Select Dead Peer detection if both endpoint devices support it.

When you enable Dead Peer Detection, the Firebox monitors tunnel traffic to identify whether a tunnel is active. If no traffic has been received from the remote peer for the amount of time entered for Traffic idle timeout, and a packet is waiting to be sent to the peer, the Firebox sends a query. If there is no response after the number of Max retries, the Firebox renegotiates the Phase 1 connection. For more information about Dead Peer Detection, see http://www.ietf.org/rfc/rfc3706.txt.

The IKE Keep-alive and Dead Peer Detection settings are part of the Phase 1 settings. 

To edit the Phase 1 settings, from Fireware Web UI:

  1. Select VPN > BOVPN.
  2. Select the gateway and click Edit.
  3. Select the Phase 1 Settings tab.

To edit the Phase 1 settings, from Policy Manager:

  1. Select VPN > Branch Office Gateways.
  2. Select the gateway and click Edit.
  3. Select the Phase 1 Settings tab.
Use the Default VPN SettingsClosed

The default branch office VPN settings provide the best combination of security and speed. Use the default settings when possible. If the remote endpoint device does not support one of the WatchGuard default settings, configure the Firebox to use the default setting from the remote endpoint. These are the default settings for WSM 11.x:

If a setting does not appear in the VPN settings, you cannot change it.

General Settings
Mode Main (Select Aggressive if one of the devices has a dynamic external IP address.)
NAT Traversal Yes
NAT Traversal Keep-alive Interval 20 seconds
IKE Keep-alive Disabled
IKE Keep-alive Message Interval None
IKE Keep-alive Max Failures None
Dead Peer Detection (RFC3706) Enabled
Dead Peer Detection Traffic Idle Timeout 20 seconds
Dead Peer Detection Max Retries 5

PHASE 1 Transform Settings
Authentication Algorithm SHA-1
Encryption Algorithm 3DES
SA Life or Negotiation Expiration (hours) 8
SA Life or Negotiation Expiration (kilobytes) 0
Diffie-Hellman Group 2

PHASE 2 Proposal Settings
Type ESP
Authentication Algorithm SHA-1
Encryption Algorithm AES (256 bit)
Force Key Expiration Enable
Phase 2 Key Expiration (hours) 8
Phase 2 Key Expiration (kilobytes) 128000
Enable Perfect Forward Secrecy No
Diffie-Hellman Group None
Configure the Firebox to send log message traffic through the tunnelClosed

If no traffic goes through a tunnel for a period of time, a gateway endpoint can decide that the other endpoint is unavailable and so will not renegotiate the VPN tunnel immediately. One way to make sure traffic goes through the tunnel at all times is to configure the Firebox to send log message traffic through the tunnel. You do not need a Log Server to receive and keep records of the traffic. In this case, you can intentionally configure the Firebox to send log message traffic to a log server that does not exist. This creates a consistent but small amount of traffic sent through the tunnel, which can help to keep the tunnel more stable.

There are two types of log data: WatchGuard logging and syslog logging. If the device is configured to send log data to both a WatchGuard Log Server and a syslog server, you cannot use this method to pass traffic through the tunnel.

You must choose a Log Server IP address to send the log data to. To choose the IP address, follow these guidelines:

  • The Log Server IP address you specify must be an IP address that is included in the remote tunnel route settings.
    For more information, see Add Routes for a Tunnel.
  • The Log Server IP address should not be an IP address that is assigned to a real device.

The two types of logging generate different amounts of traffic.

WatchGuard Logging

No log data is sent until the Firebox has connected to a Log Server. The only types of traffic sent through the tunnel are attempts to connect to a Log Server that are sent every three minutes. This can be enough traffic to help tunnel stability with the least impact on other BOVPN traffic.

Syslog Logging

Log data is immediately sent to the syslog server IP address. The volume of log data depends on the traffic that the device handles. Syslog logging usually generates enough traffic that packets always pass through the tunnel. The volume of traffic can occasionally make regular BOVPN traffic slower, but this is not common.

To improve stability and have the least impact on BOVPN traffic, try the WatchGuard Logging option first. If this does not improve the stability of the BOVPN tunnel, try syslog logging. The procedures in this topic assume that both endpoint devices are WatchGuard devices, and that neither endpoint is configured to send log data to either a WatchGuard Log Server or a syslog server. If an endpoint is already configured to send log data that a server collects, do not change those logging settings.

Different options you can try include:

  • Configure one endpoint to send WatchGuard log traffic through the tunnel.
  • Configure the other endpoint to send WatchGuard log traffic through the tunnel.
  • Configure both endpoints to send WatchGuard log traffic through the tunnel.
  • Configure one endpoint to send syslog log traffic through the tunnel.
  • Configure only the other endpoint to send syslog log traffic through the tunnel.
  • Configure both endpoints to send syslog log traffic through the tunnel.

To configure your Firebox to send log data to a WatchGuard Log Server through the tunnel, from Fireware Web UI:

  1. Select System > Logging.
    The Logging page appears.
  2. Select the Send log messages to these Dimension or WSM Log Servers check box.
  3. On the Log Servers 1 tab, click Add.
    The Add WatchGuard Log Server dialog box appears.
  4. In the Log Server Address text box, type the IP address or fully qualified domain name (FQDN) of the Log Server.
    DNS must be enabled to use an FQDN for the address.
  5. In the Authentication Key and Confirm text boxes, type the authentication key for your instance of Dimension or WSM Log Server. Tip!The allowed range for the logging Authentication Key is 8–32 characters. You can use all characters except spaces and slashes (/ or \).
  6. Click OK.
    The server IP address appears in the Log Servers 1 list.
  7. Click Save.

To configure your Firebox to send syslog data through the tunnel, from Fireware Web UI:

  1. Select Setup > Logging.
    The Logging Setup dialog box appears with the WatchGuard Log Server tab selected.
  2. Select the Syslog Server tab.
  3. Select the Send log messages to the syslog server at this IP address check box.
  4. In the IP Address text box, type the IP address for the syslog.
  5. In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
  6. From the Log Format drop-down list, select Syslog or IBM LEEF.
    The details available to include in the log messages depend on the log format you select.
  7. To include the date and time that the event occurs on your Firebox in the log message details, select the The time stamp check box.
  8. To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
  9. In the Syslog Settings section, for each type of log message, select a syslog facility from the drop-down list.
    If you select the IBM LEEF log format, you must select the The syslog header check box before you can select the syslog facility for the log message types.
    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages (lower numbers have greater priority), select Local1Local7.
    • To not send details for a message type, select NONE.
  10. Click Save.

To configure your Firebox to send log data to a WatchGuard Log Server through the tunnel, from Policy Manager:

  1. Select Setup > Logging.
    The Logging Setup dialog box appears.
  2. Select the Send log messages to these Dimension or WSM Log Servers check box.
  3. Click Configure.
    The Configure Log Servers dialog box appears with the Log Servers 1 tab selected.
  4. On the Log Servers 1 tab, click Add.
    The Add Event Processor dialog box appears.
  5. In the Log Server Address text box, type the IP address or fully qualified domain name (FQDN) of the Log Server.
    DNS must be enabled to use an FQDN for the address.
  6. In the Authentication Key and Confirm Key text boxes, type the authentication key for your instance of Dimension or WSM Log Server. Tip!The allowed range for the logging Authentication Key is 8–32 characters. You can use all characters except spaces and slashes (/ or \).
  7. Click OK.
    The Add Event Processor dialog box closes and the server IP address appears in the Log Servers 1 list.

To configure your Firebox to send syslog data through the tunnel, from Policy Manager:

  1. Select Setup > Logging.
    The Logging Setup dialog box appears.
  1. Select the Send log messages to this syslog server check box.
  2. In the IP address text box, type the IP address of the syslog.
  3. To change the port for the server, in the Port text box, type or select the new port number.
    The default port is 514.
  4. From the Log format drop-down list, select Syslog.
  5. Click Configure.
    The Configure Syslog dialog box appears. The options included in the dialog box depend on the log format you selected.
  6. To include the time stamp information from your Firebox in the log message details, select the The time stamp check box.
  7. To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
  8. For each type of log message, select a syslog facility:
    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages (lower numbers have greater priority), select Local1Local7.
    • To not send details for a log message type, select NONE.
  9. Click OK to close the Configure Syslog dialog box.
  10. Click OK to close the Logging Setup dialog box.
  11. Save the Configuration File.

See Also

Monitor and Troubleshoot BOVPN Tunnels

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.