SD-Wan "sometimes" not routing traffic

Important stuff first: M270 running 12.10.2.B692269, services expired yesterday.

This is my own personal box, not a clients. I use it for testing / learning, etc. Services expired on it yesterday and I really don't want to (i.e. can't afford) to renew them.

The box has three external interfaces. Port 0 is a 1Gbps cable feed. Port 3 is a 50Mbps DSL feed and port 5 is an OpenWRT router that is cabled in to the back of the DSL router. This OpenWRT router creates a VPN Tunnel via SurfShark to an alternate universe. I have 3 SDWan policies: 1) Cable-2-DSL, 2) DSL-2-Cable, 3) VPN-2-Cable-2-DSL.

There are two policies. One is HTTPS traffic for everyone in my family and sends HTTPS to use SDWAN policy 1. The second policy will send all of my traffic to SDWAN policy 3 (VPN first). My policy is directly below the family policy. When the services expired on the box yesterday, my family lost WebBlocker, etc. and the ability to access the internet failed. Fair. I understand. I disabled the WebBlocker proxy and they still cannot access the internet. I deleted the policy and created a packet filter for them. Same result. I changed their SDWAN policy from 1 to 2. Still no internet. I changed their SD Wan policy to number 3 (VPN first) and now they access the internet again.

I have since gone and rebuilt the entire firewall config from the ground up. No proxy services at all -- only packet filters and SD Wan. I still cannot get their policy to work unless they go out on the VPN first. And the VPN routes through the DSL, so in my mind the DSL should work as well.

Oh, and to make things even more interesting, I cannot access amazon.ca. No one in the house is able to. If I turn off the wifi on my phone, Amazon loads quickly and works fine. As soon as wifi is back on (using an AP125 and an AP325), Amazon disappears again. Oh, and all my HomeKit has stopped working.

Help?

Comments

  • I would not expect SD-WAN to stop working when a feature key expires. Seems like a bug to me.

    Since everything is now gong out via a VPN, try changing the Global setting, Networking section, TCP MTU Probing from Disabled to "Always enabled", and see if that helps.

    Define Firebox Global Settings
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AlGilson

    SD-WAN should continue to work with an expired license key provided the license key is still on the firewall (e.g., it's better to have the expired license loaded on the device, than no license at all.) The only services that should generally be expiring are the subscription service.

    If your webblocker policy has an action that says "when the webblocker license expires, deny access to websites" it's best to completely remove the webblocker action, as you won't be able to edit the webblocker settings without a license key for that service.

    I suppose a good place to pinpoint what specifically is broken?
    -Can you resolve DNS on that network.
    -Can you get to a website if you navigate to it by IP address (and not FQDN?)
    -Can you navigate to the website if QUIC is disabled on your browser?
    -Can you ping any specific FQDN or IP address?
    -Can you get to a pain HTTP site? (notpurple.com or neverssl.com are good examples.)

    Support will often make exceptions for customers that have recently expired firewalls that run into issues like this. If you call 877-232-3531 to put in a case, they can likely create you a low priority case to help with your issue. If you prefer to work online, you can switch over to that once the case is created.

    It would help to be able to see the logs and config for your firewall.

    -James Carson
    WatchGuard Customer Support

  • Thank you both. I've opened a support case.

    Bits that I left out that I'm remembering now and have been added to the support case:

    • I cannot get to amazon.com or amazon.ca when using SD-WAN cable or DSL. But every other website (so far) works. The firewall is showing allowed packets leaving the firewall, so I know that the system appears to be working. If I change the SD-WAN to VPN first, Amazon loads quickly and successfully.
    • considered a possible NAT issue, but it appears to be fine and is as it was while the subscriptions were active.
    • During diagnostics in the Netflix app on our TVs, Netflix is unable to reach the Netflix servers, but it is able to reach the internet.
    • Ping to www.amazon.ca works fine
    • Definitely able to reach neverssl.com when using SD-WAN, non-VPN.
  • Have you set up Link Monitor on both WAN interfaces ?
    If not, please do so.
    We recommend something upstream, such as your ISP DNS server, or a Google (8.8.8.8, 8.8.4.4) or some other high availability DNS server for example.

    Check Traffic Monitor to see if there are obvious WAN outage log messages as a result.

    Configure Link Monitor
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/link monitor/link_monitor_configure.html

  • Thanks Bruce. Link Monitor is set to exactly that, 8.8.8.8 on one interface, 8.8.4.4 on another interface and 1.1.1.1 on the VPN interface.

    Some interesting observations:

    • ANY access from my phone to ANY-External, policy order position 1, SD-WAN = ONLY DSL, fails.
    • ANY access from my phone to ANY-External, policy order position 1, SD-WAN = ONLY CABLE, fails.
    • ANY access from my phone to ANY-External, policy order position 1, SD-WAN = ONLY VPN, works.

    Packets are definitely leaving the firewall here:
    2024-02-22 22:11:31 Allow 10.0.x.x 31.169.123.33 https/tcp 53799 443 GTAP-WiFi Allowed 48 63 (Any-HOLE-AL.OUT-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="198.2.x.x" [AL: External IP of cable modem] tcp_info="offset 7 S 1239826352 win 65535" route_type="SD-WAN" Traffic
    but amazon.ca fails to load on my phone

    Switch to the SD-WAN VPN:
    2024-02-22 22:13:26 Allow 10.0.x.x 31.169.123.33 https/tcp 53824 443 GTAP-WiFi VPN-to-Internet Allowed 64 63 (Any-HOLE-AL.OUT-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.168.3.186" [AL: External IP of OpenWRT VPN router] tcp_info="offset 11 S 1232741517 win 65535" route_type="SD-WAN" Traffic
    works like a champ.

    Same policy, two different SD-WAN configurations. Both allow the traffic out. Only one works.

    Turning the SD-WAN off on the policy also does not make the policy work, even though the connection is allowed out (confirmed in Traffic Monitor) via the cable connection on port 0.

    Wondered if MTU size was at play, but reducing it down to 1100 still doesn't work. Also wondered if the Dynamic NAT mapping wasn't set up, but there's definitely a 10.0.0.0/8 - ANY-External as well as a 192.168.0.0/16 - ANY-External.

Sign In to comment.