Back to All Scenarios
PASSEDvendor / watchguard_firebox_vpn_tunnel_flap
WatchGuard Firebox BOVPN Tunnel Flap
A WatchGuard Firebox M590 experiences persistent BOVPN instability to 6 branch offices due to a phase 2 SA lifetime mismatch after a firmware upgrade, causing intermittent branch connectivity.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 27 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
WatchGuard Firebox M590 at HQ. 6 BOVPN tunnels to branch offices (also WatchGuard). Firmware upgrade changed default Phase 2 lifetime from 8h to 1h. Mismatch causes rekeying failures. Tunnels drop every 55-65 minutes.
Injected Error Messages (3)
watchguard Firebox M590 BOVPN instability — 6 of 6 branch office tunnels cycling every 55-65 minutes, watchguard Phase 2 SA rekeying failure: lifetime mismatch between HQ (1 hour) and branches (8 hours) after Fireware OS upgrade, watchguard traffic monitor showing repeated down/up cycles for all BOVPN peers, IKE negotiation errors: 'no proposal chosen'
watchguard BOVPN to Branch-Atlanta cycling — connection drops every 58 minutes when Phase 2 SA expires, watchguard Firebox rekeying fails due to proposal mismatch, branch users lose connectivity to HQ file shares and applications for 30-90 seconds during each cycle, watchguard dimension logging 47 state changes in last 24 hours for this peer
watchguard BOVPN to Branch-Denver unstable — renegotiation failing at Phase 2 due to SA lifetime disagreement, watchguard Firebox M590 sending 'INFORMATIONAL: DELETE' every 55 minutes, branch-Denver users experiencing periodic disconnections from ERP and phone systems, watchguard policy-based routing failing over to direct internet during gaps
Neural Engine Root Cause Analysis
The WatchGuard Firebox M590 BOVPN tunnels are experiencing systematic disconnections every 55-65 minutes due to a Phase 2 SA (Security Association) lifetime configuration mismatch introduced after a Fireware OS upgrade. The HQ firewall is configured with a 1-hour SA lifetime while all 6 branch offices have 8-hour lifetimes, causing IKE rekeying failures with 'no proposal chosen' errors when the HQ attempts to renew the security associations. This fundamental IPSec parameter mismatch prevents successful tunnel renegotiation, forcing all tunnels to cycle through down/up states continuously.
Remediation Plan
1. Access WatchGuard System Manager for the M590 HQ device via https://10.0.0.1:8080. 2. Navigate to VPN > Branch Office VPN configuration. 3. For each of the 6 BOVPN tunnels, modify the Phase 2 SA lifetime settings to match either HQ to branches (standardize on 8 hours) or branches to HQ (standardize on 1 hour). 4. Apply configuration changes and commit. 5. Monitor tunnel status for 2 hours to ensure stable connectivity without cycling. 6. Verify traffic flow through each tunnel. 7. Document the standardized SA lifetime configuration for future upgrades.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmnck7jkk07c0obqer7glphe0