A blog for random cybersecurity. networking. infrastructure. notes.
Twitter Linkedin
,

Watchguard BOVPN VIF & Link Monitor Software Bug

Watchguard BOVPN VIF & Link Monitor Software Bug

The Problem

All VPN tunnels can be halted which prevents packets from passing through the tunnel when leveraging Watchguard’s BOVPN (Branch office virtual private network) VIF (virtual interface) style VPNs between Watchguard firewalls operating with multiple ISP’s.

The Details

After updating a number of Watchguard devices from 12.6.1, an operational issue arose regarding  Watchguard’s VIF VPN tunnels when two Watchguard endpoints establish multiple gateways for a single tunnel when leveraging multiple ISPs.  In this particular case, while  the tunnel is functioning on Gateway #1, for example, and when the secondary gateway ISP has any type of network interruption, ALL VIF VPN tunnels are halted.   It seems the bug exists somewhere between Link Monitor and the BOVPN process.

In order to return the tunnels back to an operational state, I have found that all of the tunnels must be re-keyed for the device or simply reboot the device (if the device has multiple tunnels to other devices as well, be sure the re-key all tunnels).  If the device is unavailable due to the tunnel being in-operable, try re-keying the tunnel from the opposite side device as I’ve actually witnessed the device with the issue come alive from an opposite-side re-key command.

The Specifications

  • Both endpoints are Watchguard devices running Watchguard OS 12.6.2-12.6.4

The Fix

It seems that there no direct fixes for the issue.  We’re really left with two options – wait for the update which includes the resolution or revert the Watchguard OS back to 12.6.1.  Unfortunately in doing so, the device will return to a factory reset configuration where the configuration file will need to be restored to the device which may not be the best route of action if you do not have physical access to the device.  If this issue continues to cause havoc, I am considering cutting the gateways down to a single gateway but leave both ISPs active for each device.

If you desire to take the route of reverting the OS, go to https://software.watchguard.com/

**UPDATE – This bug has been resolved with a CSR on 2/22/2021 and will be released GA in 12.6.7.

If you found this post helpful, please consider buying a total stranger a cup of coffee the next time you are at the cafe.  Maybe even wish them a good day!

Related Articles

Table of Contents

Categories