External Interface Disconnects

My T35 is experiencing drops of the external interface every 7(ish) minutes and the only way to bring it back to life is to renew the DHCP lease in the WEB UI under Dashboard>Interfaces> Detail>DHCP Renew

A DrayTek VIGOR 2862 in bridge mode feeds the line into the WatchGuard and this is connected just fine.

Wondering if anyone has experienced anything like this before?

Comments

  • For the record, what Fireware version is your T35 running?

  • Apologies for the delay, V12.5.7.B640389 - can see there's an upgrade to 12.5.11 666392 so running that now!

  • Scratch that, 12.5.9 (Build 655824) is the highest I can go.

  • An update, I set the external interface to use a static IP address and set the default gateway to be the IP of the DrayTek router and the connection oto the outside world seems stable now. Only issue is forwarding ports... it is now, as far as I can see, getting stuck at the DrayTek...

  • Fireware 12.5.9 Update 2 is a free upgrade from WG because of the Cyclops Blink security issue.
    V12.5.10 & 12.5.11 require a support contract on your firewall in order to do the upgrade.

    I can't find anything related to your issue in the Release Notes or in the forum.

    What company is your ISP here?.
    Very odd to have such an apparently short DHCP lease time.
    Consider contacting them to see if they can increase it for you.

  • @Bruce_Briggs said:
    Fireware 12.5.9 Update 2 is a free upgrade from WG because of the Cyclops Blink security issue.
    V12.5.10 & 12.5.11 require a support contract on your firewall in order to do the upgrade.

    I can't find anything related to your issue in the Release Notes or in the forum.

    What company is your ISP here?.
    Very odd to have such an apparently short DHCP lease time.
    Consider contacting them to see if they can increase it for you.

    Thanks for that, the ISP is TalkTalk here in the Uk and they use MPoA for authentication - now I've got it somewhat stable (just the port forwarding not working) I'm sure the DrayTek is getting in the way but not so sure how..

    What a pain in the back side!

  • You may be able to put the DrayTek into bridge mode - thus being able to get incoming access to work more easily - without the DrayTek getting in the way.

    https://www.draytek.co.uk/support/guides/kb-router-as-dsl-modem

  • @Bruce_Briggs said:
    You may be able to put the DrayTek into bridge mode - thus being able to get incoming access to work more easily - without the DrayTek getting in the way.

    https://www.draytek.co.uk/support/guides/kb-router-as-dsl-modem

    I do have it in bridge mode and factor reset it for good measure but she just ain't bridgin!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Based on the info here:
    My guess would be that the upstream ISP device isn't replying to ARPs, or doesn't like the firewall sending GARPs (gratuitous ARPs.) 7 minutes is way too short for it to be an DHCP issue, but the entire DHCP process would be enough to get the firewall ARPing for the gateway IP (or the ISP device ARPing for the firewall.)

    You can test to see if that is the case by doing a TCPDUMP from the firewall.
    -Open WatchGuard System Manager and log into your firewall.
    -Launch Firebox System Manager (FSM).
    -Once FSM opens, go to tools -> diagnostic tasks, and select TCP DUMP from the task menu. Ignore the interface drop down menu.
    -Check advanced options at the bottom of the page. An arguments box will appear.
    -type in the arguments box "-nei eth0" without the quotes and press start task while the issue is occurring.

    You should see something like:

    09:29:43.128345 00:90:7f:12:34:56 > 00:00:5e:00:01:23, ethertype ARP (0x0806), length 42: Request who-has 66.55.44.1 tell 66.55.44.163, length 28

    09:29:43.142605 00:00:5e:00:01:23 > 00:90:7f:12:34:56, ethertype ARP (0x0806), length 60: Reply 66.55.44.1 is-at 00:00:5e:00:01:23, length 46

    In this case, the first line is my firebox ARPing for its gateway, and the second line is the gateway responding. If you're not seeing the second reply line, I'd suggest contacting the ISP to find out why.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.