cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest new and information the November issue of the Cisco Small Business Monthly Newsletter

3943
Views
0
Helpful
4
Replies
Highlighted
Beginner

RV042 Site to Site VPN with Watchguard XTM510 One way traffic

Hello,

I have two site to site VPN tunnels between a RV042 (which is behind another router, so NAT'd) and two different Watchguard XTM510s (public internet facing).  This connection was working up until a month ago, when for some reason it crashed and now it will not come back up completly  For both tunnels, traffic only seems to be flowing one way.

It appears as though the devices complete both phase 1 and phase 2 negotiations, the tunnels come up almost instantly, they just don't transfer traffic.

Phase 1 settings on all:

Agressive mode IKE

Encryption: AES128

Authentication: SHA1

DH Group 1

Lifetime: 28800s (RV042) / 8 hours (XTMs)

Phase 2 settings

NO PFS

Encryption: AES128

Auth: SHA1

DH Group 1

Lifetime: 28800s / 8 hours, no traffic expiration

I have NAT traversal and DPD turned on.  Both sides show the tunnel as active, the correct routes show up in the routing tables, but I can't ping across it and the data counters on the Watchguard devices show traffic going one way only.  The logs on all devices show the DPD packets being sent and recieved, so I know that the devices can talk, it's just that last little bit that isn't working.

I've tried completely recreating the tunnels, power cycling everything, different encryption schemes, different keys, and different options, but I can not get these tunnels to work.  If I could just get one tunnel to work I can route traffic where it needs to go (there is a tunnel between the Watchguards that is functioning perfectly).  Does anyone have any ideas?

4 REPLIES 4
Beginner

RV042 Site to Site VPN with Watchguard XTM510 One way traffic

Hello Ben,

it seems that we have the same problems with the RV042 Router (side A). The RV042 is also behind another Router and NAT-T is enabled. Instead of the Watchguard I use an ASA 5505 (side B) as the remote peer. But this should not be a problem. There are other VPN Site-to-Site tunnels which works correct.

On both sides the VPN Tunnel is established. As I tried to ping a Host from side A to side B the ASA logs the incoming ICMP request and outgoing ICMP reply but it never reaches the client host on side A.

On Syslog of the RV042 Router I can see, evertime an ICMP packet should received, something like this:

packet from XX.XX.XX.XX:500: sending notification INVALID_MAJOR_VERSION to XX.XX.XX.XX:500 

Nov 15 08:31:47 2012 VPN Log packet from XX.XX.XX.XX:500: ISAKMP version of ISAKMP Message has an unknown value: 115 

Nov 15 08:31:47 2012 VPN Log packet from XX.XX.XX.XX:500: ISAKMP version of ISAKMP Message has an unknown value: 115

But I don't know if this is really the cause it doesn't work.

Do you have a similar error on RV042?

Best regards

Stefan

Beginner

RV042 Site to Site VPN with Watchguard XTM510 One way traffic

Hey Stefan,

We don't see any log messages like that, all we see on the RV042 are successful DPD messages and successful negotiations.  On the Watchguards, we see the same success messages as well as ping traffic outbound to the RV042, but nothing incoming.

Last night, one of the tunnels began working again (randomly).  I'm not sure how long it will stick around, I started an infinite ping just to make sure there is some traffic going over the link to try and keep it up (although DPD should help with that anyways).

Thanks for the response!

Beginner

Sorry for the revive, but

Sorry for the revive, but wondering if any of you have found a solution?

 

I have a RV042G router trying to setup a VPN with a Watchguard device on the other side, directly connected.  Both sites are directly connected with fiber, just across a street. 

 

Cannot get them to make the tunnel.

Beginner

RV042 Site to Site VPN with Watchguard XTM510 One way traffic

Stefan,

I know this is a very old thread,

but did you ever find the resolution to your problem?

I too have an ASA and an RV042 that is giving 'INVALID_MAJOR_VERSION" errors and will only pass one way traffic.

Anything you can advise?