We are changing our Internet Circuit to a new ISP. During testing I have both circuits, plus a failover circuit connected to our WatchGuard XTM515
I can browse the Internet, and Ping via the new circuit. However if I create a BOVPN tunnel with the new circuit, the System Manager tells me that the tunnel is created, but I only get sent bytes on the the local end, no received bytes. The remote end shows sent and received.
WatchGuard Tech Support says they see the ESP (Protocol 50) packets leaving the local end, and arriving at the remote end, they also see them leaving the remote end, but not arriving back at the local end. This points at the ISP blocking the return path or a routing error.
The ISP says they do not block any ports, and that it is not their issue, but a firewall config issue.
How do I identify where the issue lies to get them to make it work?
Both ends are WatchGuard XTM firewalls. There are four ISP's in play here: one at the remote end; the new one I am testing, the old one I want to disconnect; and a DSL that we use for failover. The Old ISP and the DSL both work fine, only the New one has the issue.
OK, I eventually got this resolved.
I had to connect a laptop directly to the new connection, and show the ISP that pings to the remote firewall were failing. They finally looked at the IP routing, and came back with "there is something weird with that IP block, let us assign a new IP block to you." and then everything worked flawlessly. My guess is that who ever had that block before me had some weird routing requirement, and the ESP packets were being dropped somewhere on the ISP's network as a result.