Web application timeout only via VPN and WIFI, not LAN ...

elbPVelbPV
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi,

i'm investigating an issue with a web app (QNAP Notesstation) based on a T85 with current firmware:

If the user are connected to the local LAN, everything works as expected an has unlimited access to the web app regardless of time. Connected to Watchguard WIFI or IKEv2 mobile VPN with the same windows client and app user accounts, all user have the same problem: After estimated 60 minutes the web app has disconnected in the background, regardless of idle time or activity.
The QNAP Support has reconstructed our issue and has discovered that there is no problem in the web app code; other tested WIFI connections were without any timeouts.

It seems that the T85 influences something like KeepAlive, Timeouts etc. for this special app if the HTTP/HTTPS traffic is routed, but I'm not sure how to resolve this issue.

Any tips or ideas?

Many thanks,
Erik

Comments

  • Bruce_BriggsBruce_Briggs

    For clarification:

    . current firmware means Fireware v12.11.6 ?

    . what WG AP model is being used for the wifi connection?

  • elbPVelbPV

    Hi Bruce,

    thanks for supporting us - yes, Fireware v12.11.6.

    We use 2 Watchguard APs: One AP125 and one 420; both configured with VLANs (Management, Trusted, Guest).

    Erik

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @elbPV

    When the users are on the normal (trusted) wired network, are they on the same subnet as the QNAP device they're accessing?

    When the users are on WiFi, are they on the same subnet as if they were on the trusted wired network?

    If yes to both, please try plugging into the subnet that the APs reside on, and test that way. It may help remove the APs as a potential culprit.

    To keep the session active, the application should send keep-alive messages. The firewall will close the connection if it idles too long.

    It may be helpful to open a support case so that one of our team members can help directly. If you'd like to open a support case, you can do so via the support center link at the top right of this page.

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs

    You can do packet captures on the firewall using TCP Dump, which may help understand the difference.

    See the TCP Dump sections:

    Using Firebox System Manager:
    Run Diagnostic Tasks to Learn More About Log Messages
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

    Using Web UI:
    Run Diagnostic Tasks on Your Firebox
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_diagnostics_tasks_web.html

    You can specify specific IP addrs and/or interfaces used for the capture, using the Advanced options.

Sign In to comment.