MUVPN connection drops every 12 minutes 2

[billdubs]

I just took a job at a new company and recently setup MUVPN access on our Firebox X500. However when using the Watchguard MUVPN client on a remote pc it only stays connected for 12 minutes (11 minutes and 58 seconds to be exact). While connected, I'm able to access all of the necessary resources. Here is the log file from the MUVPN client:

12/5/2007 1:44:08 PM RWSGA using OperatingSystem - 5
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Firewall recognized adapter - NCP VPN Adapter
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Installed as a test license - 5.
12/5/2007 1:44:08 PM License for Oem Version - 0
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Found adapter: Broadcom NetXtreme 57xx Gigabit Controller with MTU 1500 bytes
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Firewall recognized adapter - Broadcom NetXtreme 57xx Gigabit Controller
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Found adapter: NDISWAN with MTU 1400 bytes
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Firewall recognized adapter - NDISWAN
12/5/2007 1:44:08 PM Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
12/5/2007 1:44:08 PM Testversion abgelaufen
12/5/2007 1:44:08 PM WatchGuard Mobile VPN V10.00 Build 101
12/5/2007 1:44:08 PM Installed as a full license.
12/5/2007 1:44:08 PM License for Oem Version - 12
12/5/2007 1:44:09 PM Monitor : Installed - WatchGuard Mobile VPN 1000 Build 101 (902)
12/5/2007 1:44:09 PM Monitor : Licensed - WatchGuard Mobile VPN 1000
12/5/2007 1:45:18 PM Protecting RAS adapter - 0
12/5/2007 2:51:45 PM LinkStatus Change - 100,NDISWAN
12/5/2007 2:51:45 PM Firewall recognized adapter - NDISWAN
12/5/2007 2:53:39 PM IPSDIALCHAN::start building connection
12/5/2007 2:53:39 PM NCPIKE-phase1:name(bdubs) - outgoing connect request - aggressive mode.
12/5/2007 2:53:39 PM XMIT_MSG1_AGGRESSIVE - bdubs
12/5/2007 2:53:40 PM RECV_MSG2_AGGRESSIVE - bdubs
12/5/2007 2:53:40 PM IKE phase I: Setting LifeTime to 0 seconds
12/5/2007 2:53:40 PM XMIT_MSG3_AGGRESSIVE - bdubs
12/5/2007 2:53:40 PM NCPIKE-phase1:name(bdubs) - connected
12/5/2007 2:53:40 PM IPSDIAL->FINAL_TUNNEL_ENDPOINT:072.017.147.178
12/5/2007 2:53:40 PM Phase1 is Ready: IkeIndex = 00000001
12/5/2007 2:53:40 PM Quick Mode is Ready: IkeIndex = 00000001 , VpnSrcPort = 500
12/5/2007 2:53:40 PM Assigned IP Address: 4.247.176.59
12/5/2007 2:53:42 PM RECV_IKECFG_SET - bdubs
12/5/2007 2:53:42 PM XMIT_IKECFG_ACK - bdubs
12/5/2007 2:53:42 PM NCPIKE-xauth:name(bdubs) - IkeCfg: enter state open
12/5/2007 2:53:42 PM Quick Mode is Ready: IkeIndex = 00000001 , VpnSrcPort = 500
12/5/2007 2:53:42 PM Assigned IP Address: 10.0.0.84
12/5/2007 2:53:42 PM DNS Server: 10.0.0.25
12/5/2007 2:53:42 PM DNS Server: 10.0.0.10
12/5/2007 2:53:42 PM WINS Server: 10.0.0.25
12/5/2007 2:53:42 PM WINS Server: 10.0.0.10
12/5/2007 2:53:42 PM XMIT_MSG1_QUICK - bdubs
12/5/2007 2:53:42 PM XMIT_MSG1_QUICK - bdubs
12/5/2007 2:53:42 PM RECV_MSG2_QUICK - bdubs
12/5/2007 2:53:42 PM XMIT_MSG3_QUICK - bdubs
12/5/2007 2:53:42 PM NCPIKE-phase2:name(bdubs) - connected
12/5/2007 2:53:42 PM RECV_MSG2_QUICK - bdubs
12/5/2007 2:53:42 PM XMIT_MSG3_QUICK - bdubs
12/5/2007 2:53:42 PM NCPIKE-phase2:name(bdubs) - connected
12/5/2007 2:53:42 PM IPSDIAL - connected to bdubs on channel 1.
12/5/2007 2:53:42 PM IPCP - connected to bdubs with IP Address: 010.000.000.084. : 010.000.000.085.
12/5/2007 3:05:41 PM NCPIKE-phase1:name(bdubs) - error - WATCHGUARD_LICENSING TIMEOUT ERROR
12/5/2007 3:05:41 PM IPSDIAL - disconnected from bdubs on channel 1.

This is my 1st experience with a Watchguard device so any help is greatly appreciated.

 

[unclerico]

12/5/2007 3:05:41 PM NCPIKE-phase1:name(bdubs) - error - WATCHGUARD_LICENSING TIMEOUT ERROR

what is your licensing situation with muvpn??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[billdubs]

As far as our licensing goes, we have a 5 user license for MUVPN and a 50 user license for BOVPN. The decision has been made to let our Live Security Subscription expire since we are planning on replacing this device next year. So unforunately, I don't have access to Watchguard support and have to support this device on my own until it's replaced.

 

[billdubs]

In traffic monitor, I'm getting the following message:

Deleting SAeer
Drop Host "ipsec_users" "bdubs" suceeded"
User "bdubs" logged out

Is there an issue with it renewing my key that is causing the disconnect?

 

[waltn]

We have this problem as well. I still have Live Security and I'm going to open a case. We have FB III running WFS 7.5. There was a time when Watchguard changed the licensing for MUVPN. This broke WFS 7.1-7.2. Apparently was fixed in 7.3 and up. My GUESS is that the V10 client expects the "new" licensing format and does not work with the "legacy" format supplied with the FB III, but I'm going to verify.

 

[billdubs]

waltn: Please let me know what WatchGuard's solution to this problem is. I have implemented a temporary resolution until I find a permanent solution. On the client side, go into "Profile Settings" and then into "Line Management." Change the "Connection Mode" from "manual" to "variable." This forces the client to reconnect every time it drops. So far this has worked well for us and I have had multiple users test it for me with success. Though, I'm still searching for a permanent fix.

 

[waltn]

OK, it appears my guess was wrong. What you need to do is open the following ports in windows firewall:
UDP 500
UDP 4500
I would recommend you "scope" these so that only your firebox is granted this access. After doing this, the message seems to go away and it does not disconnect. I have not tested this on Vista yet, but it works on XP. I fully expect it to work on Vista as well.

 

[waltn]

One othter thing. If you have any other software firewall active, of course, you need to open the ports there as well.

 

[billdubs]

waltn: I have the Windows Firewall disabled and don't have any other firewalls installed. Your comments regarding the issues with the different versions gave me an idea. I searched around the web and found a older copy of the client. I downloaded 7.3 which corresponds to the version on our Firebox. I installed in and it stayed connected without ever dropping. There are a couple of issues. With the 7.3 client, name resolution does not work so I have to access network resources by IP address. The other issue is that it is not compatible with Vista.

 

[waltn]

hmmm. Well, I don't know what's going on. However, we are now using the V10 client on both Vista and XP without issue after the firewall fix.

We are using Fbox III 1000 running WFS 7.5. Unfortunatley, I'm not familiar with the X500, but check your WFS version assuming you are running WFS. I know that the 10.0 client requires certain WFS versions, though I don't remember which. 7.5 is the last of WFS, at least so far. If you don't have that version, perhaps you need to upgrade.

Also, did you import a wgx file to configure the client, or did you configure it manually? If you have a .wgx that works with the 7.3 client, it should work with V10 as well.

We also have some users using the old 7.3 client, which also works but not from Vista.

 

[billdubs]

I'm getting the same results using the version 10 client on Vista and XP. I used the wgx file with both versions of the client. The 7.3 client is working fine.

I'd really like to update our X500 for now but the decision has been made to replace it. Until then, I have a couple of solutions to keep it working.

 

[panoramix2]

Hi billdubs.

I had the same problem.
When I have disabled Windows firewall (XP) I have been able to see in the MUVPN client log the following thing:

10/01/2008 18:41:10 NOTIFY: profile-Name: RECEIVED: NOTIFY_MSG_KEEPALIVE_REQUEST
10/01/2008 18:41:10 NOTIFY: profile-Name: SENT: NOTIFY_MSG_KEEPALIVE_ACK
10/01/2008 18:50:08 NOTIFY: profile-Name: RECEIVED: NOTIFY_MSG_KEEPALIVE_REQUEST
10/01/2008 18:50:08 NOTIFY: profile-Name: SENT: NOTIFY_MSG_KEEPALIVE_ACK
10/01/2008 18:53:08 NOTIFY: profile-Name: RECEIVED: NOTIFY_MSG_KEEPALIVE_REQUEST
10/01/2008 18:53:08 NOTIFY: profile-Name: SENT: NOTIFY_MSG_KEEPALIVE_ACK
10/01/2008 18:56:07 NOTIFY: profile-Name: RECEIVED: NOTIFY_MSG_KEEPALIVE_REQUEST
10/01/2008 18:56:07 NOTIFY: profile-Name: SENT: NOTIFY_MSG_KEEPALIVE_ACK

So I have thought that the problem should be in the incoming connections from VPN-gateway to my pc

This is because the IKE Keep-Alive messages doesn't arrive from the VPN-gateway to your PC.

You can verify it examining the file C:\WINDOWS\pfirewall.log.

It is possible that you see something similar to this:

action : protocol : src-ip : dst-ip : src-port : dst-port : size : path
DROP : UDP : your-gw-ip : 192.168.224.192 : 4500 : 4500 : 114 :RECEIVE

The 12 approximate minutes they come given by three parameters of the IKE (Phase 1) configuration in the gateway:
Keep-alive interval, Message Interval and Max Failures.

Instead of disabling the Windows firewall, be maybe more advisable to allow exceptions in this firewall.

To create exceptions:
Name: IKE Keep-Alive Messages-1
Port: 4500
Prot: UDP
Environment: From your VPN-Gateway

Name: IKE Keep-Alive Messages-2
Port: 500
Prot: UDP
Environment: From your VPN-Gateway

It depends if using Traversal-Nat.

Active Firewall of Windows and pays attention to unmark the "Do Not Allow Exceptions" box.

Goog Luck

 

[Frankenherder]

I am having the exact same problem with my FB1000 and V10 of the MUVPN software,. Did this fix work?

Matt

 

[Frankenherder]

Fixed worked thanks. I am not comfortable opening ports though. Watchguard should have those open when you allow access to the client so there are not always open, just open when the client is in use.
Matt

 

[waltn]

Frankenherder,

Yeah, but if you limit the ports to only your FB's address, you at least mimimize the risk. That's what we do. Any SW firewall should be able to do this.

Walt

 

[billdubs]

This ended up resolving our issues with the version 10 client. The verson 7.3 client didn't have the same problems.