https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-tunnel-with-watchguard-firewalls-as-peers/m-p/43819#M32169 <HTML><HEAD></HEAD><BODY><P>If the PA firewall is the responder, take a look at your ikemgr.log file. You can use this command to navigate using standard linux 'less' navigation:</P><P>&gt; less mp-log ikemgr.log</P><P></P><P>Find the time of the most recent failure and see what the reason for the failure is, the log should give you pretty good details.</P><P></P><P>If the PA firewall is the initiator, you'll need to look at the logs on the Watchguard. It sounds like you're establishing correctly, but a re-key is likely failing. The log is your best bet for seeing the issue.</P><P>Does it re-establish by itself? How about if you use the test command:</P><P>&gt; test vpn ipsec-sa tunnel &lt;tunnel-name&gt;</P><P></P><P>You may also try enabling tunnel monitoring on the PA firewall in the IPSec config (Network &gt; IPSec Tunnels &gt; (tunnel name) &gt; General tab &gt; Advanced &gt; Tunnel Monitor. Configure an address on the other side of the tunnel.</P><P></P><P>Good luck!</P><P>Greg </P></BODY></HTML> Fri, 07 Dec 2012 23:56:20 GMT gwesson 2012-12-07T23:56:20Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-tunnel-with-watchguard-firewalls-as-peers/m-p/43818#M32168 <HTML><HEAD></HEAD><BODY><P><BR />I have a problem with the PAN keeping a tunnel connected to Watchguard firewalls.</P><P></P><P>Phase1</P><P>Main Mode</P><P>IKE Crypto: MD5-3DES-GP1</P><P>Lifetime: 8 Hours</P><P></P><P>DPD 5-5</P><P></P><P>Phase2</P><P>IPSec Crypto: MD5-3DES-NoPFS</P><P>Lifetime 8 Hours</P><P>LifeSize 128 MB</P><P></P><P>Proxy: Local 10.0.0.0/8&nbsp;&nbsp;&nbsp;&nbsp; Remote: 192.168.4.0/24</P><P></P><P>I have tried just about every type of Authentication and Encryption possible but still cant get a stable tunnel. They will work for a day or 2 and then fail. I have to delete and rebuild the tunnels on the Watchguards to bring the connection back up.</P><P>I have not tried to play with the lifetime or size settings yet. I also have not tried Agressive mode yet. Anyone out there been able to make a stable tunnel with a Watchguard Firewall?</P></BODY></HTML> Fri, 07 Dec 2012 22:20:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-tunnel-with-watchguard-firewalls-as-peers/m-p/43818#M32168 nationalhme 2012-12-07T22:20:39Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-tunnel-with-watchguard-firewalls-as-peers/m-p/43819#M32169 <HTML><HEAD></HEAD><BODY><P>If the PA firewall is the responder, take a look at your ikemgr.log file. You can use this command to navigate using standard linux 'less' navigation:</P><P>&gt; less mp-log ikemgr.log</P><P></P><P>Find the time of the most recent failure and see what the reason for the failure is, the log should give you pretty good details.</P><P></P><P>If the PA firewall is the initiator, you'll need to look at the logs on the Watchguard. It sounds like you're establishing correctly, but a re-key is likely failing. The log is your best bet for seeing the issue.</P><P>Does it re-establish by itself? How about if you use the test command:</P><P>&gt; test vpn ipsec-sa tunnel &lt;tunnel-name&gt;</P><P></P><P>You may also try enabling tunnel monitoring on the PA firewall in the IPSec config (Network &gt; IPSec Tunnels &gt; (tunnel name) &gt; General tab &gt; Advanced &gt; Tunnel Monitor. Configure an address on the other side of the tunnel.</P><P></P><P>Good luck!</P><P>Greg </P></BODY></HTML> Fri, 07 Dec 2012 23:56:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-tunnel-with-watchguard-firewalls-as-peers/m-p/43819#M32169 gwesson 2012-12-07T23:56:20Z