Issues with 12.8.1
I recently updated all my Fireboxes to the latest update. M370 running 12.8.1, I skipped 12.8. Also have a T70 upgraded to 12.8.1. Now my Synology backup to Wasabi is failing. Have another Synology at a different location also now failing. Both access Wasabi by going over BOVPN and out to the internet through the M370. I get an error on the traffic monitor stating "Tunnel Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). "
No other changes have been made. One site is connected using Ikev1 and the other is Ikev2. I will try and bring one of the boxes over to the main office and try it again and see if its BOVPN issue. I do have another Synology at the main office and it backed up just fine.
Comments
Syn Checking means the firewall is seeing connections that aren't in its connection table
See:
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000XeLhSAK&lang=en_US
-James Carson
WatchGuard Customer Support
Backed up fine once I brought it over to the main office. Which means there is something wrong with the BOVPN. There was someone complaining about packet loss in the 12.8 release in regards to BOVPN. Might need to contact support.
Hi @kcarpenter
There weren't any changes in the default threat protection engine in 12.8 or 12.8.1 -- but there may be something else that is affecting this.
-James Carson
WatchGuard Customer Support
I can copy files to it over the BOVPN just fine, but the Hyper Backup program on Synology seems to fail backing up to Wasabi. Its the initial connection that fails so the backup doesn't even start. I am going to try backing up a workstation over the BOVPN and see what happens.
I misspoke. One site has Fireware 12.7.2 and the other one has 12.8.1. Both connect to the M370 which is running 12.8.1. But still, both Synology boxes are unable to backup to Wasabi. Only change was the firewall update.
Found the issue. Packets going out one Wan but coming back on the other Wan. Again, nothing changed except the update. Will investigate it further.
Hi @kcarpenter
I don't want to rule it out, but it's highly unlikely that the firmware upgrade would cause an internal routing change, especially if standard static routes were in place.
I'd suggest that it's very likely that the firewall rebooting (as part of the upgrade) may have triggered a change elsewhere.
-James Carson
WatchGuard Customer Support
I agree. Problem is that I can't see what interface it goes out on the traffic monitor. Just shows Syn error. I might have to do a packet capture and see what rule its goes out on. I have a rule that allows anything and it should be going out out our fiber and come back that way too. Still looking.