Dead Ethernet Ports?

I've seen this happen on two different generations of Watchguard products now and am wondering if watchguard hardware is extra sensitive or what?

Our xtm22w one day had an ethernet port stop working--no link and no activity. The port would still show up under interfaces but would indicate that it was down (it was configured and in use when it died). Finally we just disabled it and used another port.

We upgraded to an m200 two years ago. And in the last 4 months, 4 ports have died--each one exhibiting the same issue we saw on the xtm22w. Even more strange, on one of the dead ports the link light is permanently on even when there is no cable. We have lost half the ports on this device!

What has everyone else's experiences been like with dead ports? Have you ever seen this on any of your hardware?

Comments

  • I never had this happen on my many WG firewalls - large or small models.

  • edited February 2020

    "We upgraded to an m200 two years ago." I hope you bought it with three years of Live Security or Total Security! Would that cover it under RMA?

    Gregg Hill

  • @Greggmh123 said:
    "We upgraded to an m200 two years ago." I hope you bough tit with three years of Live Security or Total Security! Would that cover it under RMA?

    Unfortunately, we only had 1yr support included. And the problem only started a few months ago so it is outside of current support. It seems that getting the support renewed will cost more than a new box from the research I've done so far. :( Not sure if we just won't get a fortigate instead if this is the case.

  • I forgot to mention something odd that happened over the weekend as I was attempting to diagnose an IPsec tunnel that wouldn't come up.

    After checking logs on both sides and seeing that there was no communication in phase 1, I checked that particular external connection being used for the bovpn and saw that it was looking okay in interfaces (up with dhcp ip). This didn't match what the logs were saying on both sides, so I decided to reboot the M200 via the webui.

    After the unit came back up, the external connection I checked earlier was now showing down. I let it sit for about 20 minutes and it still never came up, so I went to see the physical unit. The port's LEDs were not acting correctly as the activity light was on and flashing, but link was not. Considering this could be a cable or cable modem issue, I used another cable to simply connect that port to a dumb switch and got the same results. So it seems like this port started having problems after a just reboot?

    On a whim I connected the cable modem to its original port that died a few days ago and it had full link and activity! What?! I checked interfaces and it showed as up. I configured the bovpn to use that external interface and the tunnel came up and has been up for a day now without any issues.

    So now I'm dumbfounded. What is going on?

  • For anyone that is reading, I think this issue is software versus hardware. Approximately every week now, one of our wan connections will just go from 'up' to 'down'. The other wan connection will continue to work.

    If you reboot the firebox, you may get any combination of the following:
    no ethernet ports to come up (link)
    only the internal network to come up
    only one of wans connections

    or finally, all come up as normal. It takes a few reboots for it to come up normally (when I finally got it to about 10 minutes ago, I believe I was on reboot 5/6). And most of the rebooting has to be done at the unit itself using the small silver button.

    At this point, I think there has to be a software issue going on since the hardware will work correctly if the software boots correctly. I haven't connected the serial cable yet to see what the console is spitting out, but that's the next step.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Samir

    If the same issue is happening across multiple devices that are different generations, I would suspect that there may be a different problem somewhere that is causing this. My biggest concern here is that if you switch devices (to ours, or another manufacturer) the same thing will continue to happen. Have you ensured that your incoming connections (internet, etc) are properly surge protected?

    Additionally, M200/300 devices won't be able to negotiate half duplex connections on eth 0, 1, and 2, so if anything is trying to do so there, the port will appear to be offline or "dead."

    If you'd like to try to upgrade the device, you can try contacting the customer care department to see if they will issue a temporary feature key for you. You can request one by clicking the support center link at the top right of the page, and creating a customer care case. They do have rules related to how long they can issue these past support expiration, so please have your serial number handy for them.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thank you for the reply James.

    The 22w was retired a long time ago and only had that one port issue once and that was it. The m200 is definitely having a software induced hardware issue like it is not booting properly as a couple of reboots will get it back to working correctly for a week or so. I have yet to plug in to the console and see if there are any error messages, but I expect to see some when I do.

    I too am concerned that if something has come in over one of the lines or via the power that we have a bigger issue here. However, the power is protected by a sinewave unit that's still under warranty (and even has a equipment protection warranty), so I highly doubt it is power. The other lines are from the Internet providers and I've inspected their equipment for proper ground and found it to be done well. Not sure where any current might have come from except the fact that the room that this equipment is in is almost 50 feet off the ground and close to the roof where nearby lightning could induce current in the wiring. Plausible, but by design Ethernet hopefully would have drained the current--if it wasn't too much. :o

    All our connections are full duplex to our main switch and both isps so half duplex shouldn't be an issue.

    I think if the software was reloaded it might fix everything. The reason it was put on its own dedicated sinewave ups in the first place was because it started to 'forget' ipsec tunnels after a power loss--and that might have been the start of the issue we have today if the storage on the unit started going bad.

    I've just downloaded the software for our unit. Will I need a feature key to reload the same version that is currently installed? Thank you again for the assistance.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Samir

    You can use your existing feature key for the version you're on, yes. If you'd like to ask for a temp key (one that would work to upgrade) you can ask the customer care team via a ticket, and they may approve one for you.

    -James Carson
    WatchGuard Customer Support

  • Thank you James. We upgraded to an M300 and set the M200 aside for re-loading and use at a different site. I'll post back with the results once we complete the refresh.

Sign In to comment.