Having problems with a VPN (SITE-TO-SITE MAIN MODE) between a watchguard and Sonicwall. The VPNs worked for years until last week when they suddenly stopped. Taking a look this morning, I was able to drill down and find that the Watchguard is rejecting the IKE requests because it cannot match the IP with a policy.
Screenshot of syslog
I am working on getting with the distant end admin to find out the PSK so I can rebuild the profiles completely, but I am just wondering if anyone has ever had similar troubles and/or advice. Thanks in advance for any suggestions, especially if anyone knows how to get more detailed error information out of the watchguard. Again, yes, these IP addresses are defined in policies and should be recognized, but again, are not! And yes we are trying to sell them on a different appliance 
Caveats: I have verified my interface settings, all is seemingly copacetic. I also added a test VPN to my sonicwall here at my office just to see if i would get the same policy mismatch errors, and it works just fine. It just seems to be the VPN profiles that were previously configured as of this morning that seem to be not matching up with the IKE messages.
First, install and connect with WSM. It’s free to download from Watchguard.com once logged in. The WebUI is absolutely terrible. You will need to use the status password when first connecting. If you don’t know this password you can reset it via System > Passphrase in the WebUI.
Now that you are connected with WSM open Policy Manager and select Setup > Logging > Diagnostic Log Level. Expand “VPN” and crank “IKE” up to “Information”. Save this back (File > Save > To Firebox with the Admin pass)
Back in the main WSM connection window right click your box and chose Firebox System Manager then load the Traffic Monitor tab. Filter for “IKE” and have the remote side send a constant ping to your side (the goal being you responding to their initiation attempts to gather the best logs).
The logs should tell you exactly what they’re sending. Make sure your settings match.
The screen shot you provided shows a log message for failing to find a Phase 1 policy for two different peers (64.245.64.162 and 174.77.83.54). Are both of these coming from the Sonic Wall? Are either of them defined in your BOVPN Gateway configuration (VPN > Branch Office Gateway in Policy Manager).
Hello,
Next time you run into a VPN issue, WatchGuard added a nifty VPN troubleshooting tool. Your firewall needs to be running firmware 11.6 or higher to have this tool. What you would do is:
- Connect to the firewall using WSM.
- Right click it and select Firebox System Manager
- Go to the Traffic Monitor tab
- Right click anywhere in the logs, and select Diagnostic Tasks
- Go to the VPN tab
- Select the appropriate VPN, and click GO.
This will collect relevant logs, statistics, and information that helps determine what the issue is! Every time a client has VPN issue, this is what I do on both firewalls if both are WGs so I can quickly compare the tunnels.
Hope it helps!
It seems as though rebuilding the profiles is working. It has worked for 2 so far. Dear God watchguard’s UI sucks.
Thanks for the info! I did manage to find the syslog informational level, thats how I was able to get it to tell me it wasn’t matching the profiles. Initially it was only giving the nondescript IKE Failure. I managed to get all of the VPNs working after I simply rebuilt them. I know it was a problem with buggy firmware because it would not let me delete certain tunnel groups because they were “in use”. I made due and worked around it and recreated them nonetheless and they came back instantly. It was just a weird run in with the Firebox XTM software I suppose. Again, thank you for the tips, I’ll make sure to try the Traffic Monitor tab.
This is a big help, thank you for this information! That’s the kind of inside info that I was hoping to find! Thanks again.
Are you using the web interface?
Just curious, what type of firewall do you have? You could be running into this bug if you are not on the latest version:
BUG69090: VPN tunnel fails and stops passing traffic - xfrm_dst_cache value exceeded in slab info
EDIT: I mean what Model + Version!
Yeah, the client whom owns the Watchguard did not have the LiveSecurity credentials available, so I had to make due with the webUI. Typically I use the WSM software, which to be honest I’m not a huge fan of either but that’s because I’m so used to Sonicwall. I’ve been getting to play with ASDM and WSM as well though and can operate effectively in them, but I’m still getting used to where stuff is in the menus. I like ASDM the most so far.
You shouldn’t need credentials for system manager? Unless you mean to download it?
I’m not a fan of the web ui, but I’ve been working with watchguards since the Firebox III so I’m used to WSM. in fact, I really like it - maybe I’m a glutton for punishment
It’s not a terrible piece of management software for sure. It’s just different And yeah I didn’t have the creds to login to download it, and since this is my only client with watchguards, I don’t have a standby copy of the install. I will get one though just in case.
ISTR you can download the software just by registering on the site… I might be wrong though
The difficulty with WG is that the management software should match the version of Fireware/XTM. If it doesnt match, you’ll have limited success depending on how many versions out it is and which way
