>>VIEW ALL POSTS  

The ranting of an IT Professional

« iPhone:Unable to revert from version 3.1 to 3.0
Scheduling commands on a Cisco router »
Nov 30 2009   4:09PM GMT

Incompatibility on Site to site VPN tunnels between Watchguards and Cisco ASA’s

Jason Tramer Jason Tramer Profile: Jason Tramer

I have been working with a client with multiple sites and up until recently they have been using Watchguards at all sites. Recently we have been switching out some of the Watchguard for Cisco ASA’s but there have been a ton of site to site VPN issues. For example, a tunnel goes down, so you re-key it, it doesn’t come back up, but if you recreate then tunnel on the watchguard side with the exact same settings everything works fine. What is the point of having a Standard if companies aren’t following it. Yeesh.

Comment     RSS Feed     Email a friend

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Dmeister
    Hey Jason, did you ever find a solution to this issue? I came accross your blog post while troubleshooting a similar issue. I've got a VPN between an ASA and a Watguard and the tunnel will only build from the Watchguard side. Thanks!
    0 pointsBadges:
    report
  • lalbdl
    Same thing here! Fortunately, the Watchguard always initiates traffic. The tunnel still goes down randomly. I found this document on watchguard.
    there's a note in the VPN configuration summary that acknowledges difficulty with VPNs to ASA and says that you want to set the ASA timeout value in the Cisco ASA VPN configuration to a lower value than the default timeout on the Watchguard. In our case the timeouts were the same, I had the guy with the Watchguard change his timeout to larger than my Cisco ASA, as I have over 100 VPN tunnels with other peer devices and only the watchguard is this much of a headache. I did configure the tunnel on the ASA side to never idle time out. Both those settings have reduced issues, however, the tunnel still goes down when the remote end has ISP problems and does not come back up unless the Watchguard guy deletes and rebuilds the tunnel on his end.
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: