Network Dropouts - VLan to VLan

Hi WGC!!
Having an issue and looking for some ideas from the community.

Our old network layout was simply.
Subnet A VLAN 10
Subnet B VLAN 20
On a Layer 2 switch with routing capability.
Both networks could interact without issues routing through the gateway IP's on the switch.

We ran this particular setup for over 10 years without issue.
Now we have restructured the network and removed the L2 switch and put a Watchguard M570 in the middle.

The new setup is as follows.
Subnet A - Trusted - Interface 1
Subnet B VLAN 20 - Trusted - Interface 4
Interface 1 is connected to server backend switches and Interface 4 is connected to a client network.
Very basic very open firewall rule allowing Subnet B and Subnet A to communicate via the Watchguard, Firewall definition is ANY so it literally doesn't block a thing.

Now I have a PBX sitting on Subnet A for example and VOIP phones sitting on Subnet B.
In the old scenario I would have no problems with the network configured this way as the L2 switch wasn't influencing anything.

But in the new scenario I have mentioned above I have what seems like random dropouts on random handsets. My own desk phone I will see drop out anywhere from 6 - 30 times per day.

I have attempted to diagnose the fault the following ways.

  1. Replaced ethernet cable on a known problem handset.
  2. Tried patching the handset into 3 different switches on Subnet B
  3. Installed a POE injector on a known problem handset to rule out any POE power delivery issues.
  4. Through port mirroring ran Wireshark on the phone to see if i could figure out what was happening. Traffic just stops, phone reboots and then traffic resumes as normal.

The only place I can think of now is the Watchguard itself and potentially it closing TCP or UDP ports down it thinks are stale ?

Any ideas from the community would help greatly!

Switches are Ubiquiti Unifi series with latest firmware (have turned off STP and RSTP to see if it helped)
Watchguard is a M570 with firmware 12.6.2.B628197


  • Options

    Sorry forgot to mention, Phones dropout whether they are idle or mid phone call.

  • Options

    There is a default idle timeout in XTM for TCP connections of 60 mins.
    You can change the idle timeout on policies to be longer (or shorter) or you can change the global default to be longer.

    I think that the default UDP timeout is 30 seconds.
    There is no way using the WG GUIs to change this.
    You can change the global value using the CLI.
    See examples from Gregg, here:

    These timeouts would only affect idle sessions, not active ones.
    If changing the TCP idle timeouts to a large value does not help, consider opening a support to get WG help in resolving this.

  • Options

    Thanks Bruce, i will give this a go and report back.

  • Options

    Hi Bruce,
    Seems the Watchguard was a bit of a red herring (pun intended) here and not the cause of the issue at all.

    It seems the Ubiquiti switches have an option defined at port level called LLDP-MED.
    Looking on their forums i can see some people having problems with that feature when trying to use it.
    We were not trying to use it at all but its on by default.
    Switching this off at port level has stopped the issue with the particular phone connected to that port.

    So we will be turning it off for the rest of the ports now.
    Just thought id let everyone know how we fixed it incase someone else has the same troubles and ends up on these forums!

    Thanks again!

  • Options

    Thanks for the update

Sign In to comment.