WatchGuard M200 - Internal Network disconnects but external interface still accessible

Hi All,

We are currently having an issue with our M200, we have recently added a second internal bridge to our firewall to support another organisation on our network which seems to be the root cause of this issue as we have not experienced this problem previously.

Randomly during the day we will have the entire internal network lose internet connectivity (internal routing via IP and DNS up to our top layer switch) which includes both of the bridges configured on the firewall making me think this is not a switching issue on either bridge. External connectivity to the firewalls web interface and our BOVPN remains connected however cannot reach internal resources which leads me away from the idea of it being anything past the router, a Cisco 3750.

Our Syslogs simply show a gap during this time and no error messages immediately before the drop seem relevant with no errors or alerts.

We reach a monthly average of 3000 concurrent connections in a day including the second bridge so I do not believe this is an issue.

All routing, firewall policies and NAT traversal prior to the outage all perform flawlessly. The M200 has the most current firmware installed (12.5 U1).

We have not had previous issues with any of the ports the bridges utilize... So you can probably see why I'm a little stumped.

My only logical reason for this issue is that we are spiking the bandwidth available on our external connection and the firewall is immediately (and permanently) disabling the internal NIC's physically or virtually, does anyone know if this is the usual action of a firewall when the maximum bandwidth is reached? Rebooting the firewall is the only way to resolve the issue.

I have now implemented traffic management on the second bridge limiting it to a total 50% of our available external bandwidth and eight hours later (touch wood!) we have had no outages although time will tell.

If anyone has seen this before or has any other thoughts they would be most welcome to let me know! :#

Comments

  • Adding Traffic Management has indeed resolved this issue. I believe this was actually to do with the priority being assigned by the firewalls NIC's.

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited October 2019

    Hi @PowerClean
    It's pretty likely the bridge might not be able to keep up. Setting up a bridge interface on the firewall is basically asking it to emulate a switch port. Under most circumstances, this is OK -- but if you're pushing a lot of data, it might not be able to keep up.

    Would it be possible to do the switch (bridging) on a switch, then plug that into the firewall so it doesn't have to try and reproduce all the broadcast and other traffic?

    -James Carson
    WatchGuard Customer Support

  • I have seen same behavior on two M200 without bridging.

    the only and strange thing showing up from lan in the traffic monitor ist dhcp requests

    any ideas what is causing this ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Norman
    DHCP requests will be via broadcasts -- if that's the only traffic making it to the firewall there may be an issue with the gateway the clients are getting.

    -James Carson
    WatchGuard Customer Support

  • edited November 22

    no ,its the same problem as above
    no traffic between lan interface <> internal network
    no ping (to static ip devices) , nothing until reboot of the firewall.
    vpn and external, optional everything fine
    already tried, different switch , different ethX on firebox for trusted , new cables all made no difference.

  • For the record, what Fireware version are you running?
    Does this happen with other Fireware versions too?

    If you have a support contract, consider opening a support case on this.

  • Anything obvious in the Interface stats for this interface in FSM -> Status Report to help understand this?

    There are a few Known Issues for the M200:
    . interfaces 0, 1, and 2 do not support 10/100 half duplex
    . Firebox M200/M300 performance issues on interfaces 3-7
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g36OSAQ&lang=en_US

  • edited November 22

    fw is on 12.5.9
    on the HP switch there are errors on the port where the firewall is.
    in Status Report there is nothing now, but I will have a look befor reboot, next time.
    what i will try also: put trusted on eth1 ( now it is eth4 ) and remove secondary IP

    if this does not help, I try if link aggregation has an impact

Sign In to comment.