Hopefully, this question is not super-basic, and I apologise in advance if it is. I’ve worked with Fortinet and other devices in the past, so I think there is something particular about Watchguard that I’ve simply not grasped here.
We have a site-to-site VPN between an on-site Watchguard M270 and Microsoft Azure. Sometimes traffic works, sometimes not. At first, I thought the VPN was flapping but running diagnostics in the Watchguard WebUI shows a firewall/policy issue.
[Conclusion]
Tunnel Name: Azure.tunnel
tunnel route#1(192.168.100.0/24<->10.48.0.0/21) - Established
The outgoing traffic for tunnel route (192.168.100.0/24<->10.48.0.0/21) is denied by firewall policy (No route).
Recommendation: Check your firewall policy configuration.
The incoming traffic for tunnel route (10.48.0.0/21<->192.168.100.0/24) is denied by firewall policy (No route).
Recommendation: Check your firewall policy configuration.
However, while I understand what the message says, I’m not clear on what to actually do about it. I thought the branch office VPN gateway and tunnel would be sufficient for the unit to manage routing.
We do have firewall policies (which I assume were auto-generated) for BOVPN in and out, which includes this tunnel.
I don’t find any firewall policies that are blocking this traffic.
I’m not sure what “no route” is telling me here and if I need to add something under network/routes in the WebUI - beyond what the WatchGuard already knows from the tunnel, which has a bidirectional range for both ends (which you see in the ‘conclusion’ above anyway).
Is anyone able to help point me in the right direction? I’m obviously missing something but not sure what.
Assuming you’re using a BOVPN Virtual Interface, under it > VPN Routes, have you entered a LAN IP under the Interface section (below VPN Routes for the LAN ranges)? This is what allows the firebox to use the interface for itself.
Usually a policy is auto generated to allow traffic between these two subnets whenever you create the gateway and tunnel for the BOVPN. Can you check your firewall policies and look for 2 name “BOVPN-Allow in” and “BOVPN allow out”?
Thanks for replying; yes - both are there, and enabled, and they include the tunnel. So this is why I am perplexed by the message saying “blocked by firewall policy” and am unclear what to make of “no route”.