T85 dropping certain traffic exactly every hour.
Anyone ever had a Watchguard Firebox that dropped some IP connections exactly every hour?
Exactly every hour after a reboot, it drops connections to certain web sites - for instance, pings go through to 8.8.8.8 or yahoo.com, but not to 1.1.1.1 or 23.219.165.123.
Brand new T85 with latest firmware. Device outside the firewall does not drop connections so I don't think it's the ISP. Ping diagnostic tool on the firewall drops (but only affected IPs, they are always the same), as does any client connected to a Trusted LAN port.
0
Sign In to comment.
Comments
Most odd.
Best to open a support case on this.
Hi @DaveWick
I'd suggest opening a support case for this as well.
At face value, dropping some (but not all) of the connections suggests to me that the firewall may be ARPing (or GARPing) at the top of the hour, and something upstream is taking a moment to update.
Running a TCPDUMP on that interface right before/during this issue happening from the firewall can tell us a lot more about what might be happening. You can do this from the WebUI or Watchguard System Manager (WSM), but this works best from WSM.
From WSM:
-Open WSM, and log into your firewall.
-Right click on your firewall and launch Firebox System Manager (FSM)
-Go to Tools -> Diagnostic tasks
-Select the Network tab, go to task, select TCP DUMP.
-Check advanced options.
-Use the argument "-nei eth0" without the quotes
-Check to stream the data to a file, and choose a place for said file to be saved.
-Click start task as close to when the issue starts as you can, preferably a few seconds ahead of the issue.
-Click stop task when the issue stops. The file will finish writing and you can close the window when it is done. (This may take a moment.)
From WebUI:
-Go to system status -> Diagnostics.
-Click the network tab.
-Choose task TCP DUMP
-Check the advanced options tickbox.
-Use the argument "-nei eth0" without the quotes
-Tick the "Stream data to a file" tickbox
-Click run task as close to when the issue starts as you can, preferably a few seconds ahead of the issue.
-Click stop task when the issue stops. The file will download in your browser (This may take a moment.)
**The WebUI method is limited to about a minute or so of capture data, this limitation does not exist in the WSM version of this tool. If the issue lasts longer than a minute, I'd suggest using WSM.
You can use wireshark to view the packet capture, and if you decide to open a case, please include this capture, as it will help the technician provide you with more data.
-James Carson
WatchGuard Customer Support
Issue ended up being a problem with GARP on the firewall. It's enabled by default and was causing issues with the upstream Arista router. I disabled GARP via CLI and the problem was resolved.