WatchGuard M200 - Internal Network disconnects but external interface still accessible

Hi All,

We are currently having an issue with our M200, we have recently added a second internal bridge to our firewall to support another organisation on our network which seems to be the root cause of this issue as we have not experienced this problem previously.

Randomly during the day we will have the entire internal network lose internet connectivity (internal routing via IP and DNS up to our top layer switch) which includes both of the bridges configured on the firewall making me think this is not a switching issue on either bridge. External connectivity to the firewalls web interface and our BOVPN remains connected however cannot reach internal resources which leads me away from the idea of it being anything past the router, a Cisco 3750.

Our Syslogs simply show a gap during this time and no error messages immediately before the drop seem relevant with no errors or alerts.

We reach a monthly average of 3000 concurrent connections in a day including the second bridge so I do not believe this is an issue.

All routing, firewall policies and NAT traversal prior to the outage all perform flawlessly. The M200 has the most current firmware installed (12.5 U1).

We have not had previous issues with any of the ports the bridges utilize... So you can probably see why I'm a little stumped.

My only logical reason for this issue is that we are spiking the bandwidth available on our external connection and the firewall is immediately (and permanently) disabling the internal NIC's physically or virtually, does anyone know if this is the usual action of a firewall when the maximum bandwidth is reached? Rebooting the firewall is the only way to resolve the issue.

I have now implemented traffic management on the second bridge limiting it to a total 50% of our available external bandwidth and eight hours later (touch wood!) we have had no outages although time will tell.

If anyone has seen this before or has any other thoughts they would be most welcome to let me know! :#

Comments

  • Adding Traffic Management has indeed resolved this issue. I believe this was actually to do with the priority being assigned by the firewalls NIC's.

  • James_CarsonJames_Carson WatchGuard Representative
    edited October 20

    Hi @PowerClean
    It's pretty likely the bridge might not be able to keep up. Setting up a bridge interface on the firewall is basically asking it to emulate a switch port. Under most circumstances, this is OK -- but if you're pushing a lot of data, it might not be able to keep up.

    Would it be possible to do the switch (bridging) on a switch, then plug that into the firewall so it doesn't have to try and reproduce all the broadcast and other traffic?

    -James Carson
    WatchGuard Customer Support

Sign In to comment.