Options

Issue with remote firebox

Chris_KellyChris_Kelly
edited January 2021 in Firebox - Management Software

Hello all,

I've recently run into a strange issue with one of our fireboxes (M270 running 12.6.3).

I use WSM to manage the device in fully managed mode, and during a regular scheduled OS upgrade to 12.6.3 (from 12.6.2) it failed to download the update multiple times.

After playing with it a little, I found that the management server seemed unable to release it's lock on the device (or the device seemed unwilling to acknowledge the lock was released), and any configuration change attempt basically left the device in "locked by admin" state, and I'd have to wait for the timeout in order to connect again.

I ended up removing the device from fully managed mode, waiting for the lock to time out, then updated the OS directly via the web interface. Then afterward i brought it back into fully managed mode again. But I'm still getting the same behavior whenever i make a config change - the change will save to the management server, but the subsequent lease expiry on the device will fail, and i have to wait for the lock timeout to force a lease expiry using the "update device" button in WSM.

Further poking around, I now find myself unable to connect to the device with FSM, and the communication log says "Communication error: CONNECT_ERROR: Unable to login due to unstable local PC time or Firebox system time." but the web interface shows a system time that is identical to the system time on the management server.

We have another M270 that is the management server box running the same OS version that has a similar policy set (we use templates to configure the boxes for most stuff, including management server policies), and have no issues with this one.

Anyone else had similar issues? If not I think a support incident is next up to bat.

Cheers,
-Chris

Comments

  • Options
    Chris_KellyChris_Kelly

    Just to follow up - I figured out what the problem was.

    I had recently removed an no-longer-required alias that contained the subnet the target firebox was in from an outgoing any-port TCP/UDP packet filter policy that was not intended for outgoing management connections, but it was apparently functioning as such.

    The outgoing management connection was falling through to a TCP-UDP proxy policy, which even though it allowed the traffic through, apparently the TCP-UDP proxy does not play nice with firebox management connections.

    I created an explicit outgoing WG-Firebox-Mgmt policy to the remote boxen and all is working correctly again.

    Regards,
    -Chris

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Chris,

    Sorry that I hadn't seen this -- I generally try to make sure every post gets a response.

    I'm glad you were able to find the issue!

    -James Carson
    WatchGuard Customer Support

This discussion has been closed.