WatchGuard Firebox Link Monitor Issue with 8.8.8.8

ITManager30ITManager30
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello everyone,

We recently installed our WatchGuard Firebox and have set it up with two external WAN interfaces, each connected to a different ISP. Our configuration uses multi-WAN for load balancing, and failover is built-in.

Today, while checking the Traffic Monitor, we noticed that all traffic was being routed through just one WAN interface. Upon further investigation, we found the following log entry appearing multiple times:

[Link Monitor] No response received on External-ISPName from Ping target 8.8.8.8

Since the Link Monitor did not receive a ping response, the Firebox correctly failed over all traffic to the other WAN interface. However, when we changed the test IP from 8.8.8.8 to 1.1.1.1, the ping tests started succeeding, and the interface was brought back online.

What confuses me is that despite the failed ping tests to 8.8.8.8, we were able to ping that IP successfully using the ISP’s router diagnostics page and a laptop directly connected to the router. This suggests that the router was online and fully functional, yet the Firebox’s Link Monitor was not getting a response.

Has anyone encountered a similar issue?

Any insights or troubleshooting suggestions would be greatly appreciated!

With our previous firewall (Untangle) I'd never seen a situation whereby it wasn't able to successfully ping 8.8.8.8 if the router and ISP were both online.

Thanks!

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    DNS servers don't guarantee they will respond to pings. There have been instances where 8.8.8.8 has specifically stopped responding to pings before.

    Global DNS servers (like 8.8.8.8) are actually groups of load balanced servers -- a different one may have been replying to you or unreachable.

    -James Carson
    WatchGuard Customer Support

  • ITManager30ITManager30

    Thanks @james.carson. What Link Monitor targets do Watchguard recommend to use? I understand having two targets per interface is suggested but what destinations should be used?

  • Bruce_BriggsBruce_Briggs

    I use 8.8.8.8, and have not noticed the problem that you have seen.

  • ITManager30ITManager30

    It could have been a teething issue as we only put the Firebox into production on Monday evening.

    I've since updated the probe targets so one WAN interface uses Google DNS and OpenDNS for it's tests, and the other WAN interface uses CloudFlare DNS and OpenDNS.

    I'm hoping that covers us. My guess is that it was a teething glitch.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @ITManager30 We generally recommend a router or other equipment on your ISP's network (beyond your default gateway.) or a service you use such as a VoIP provider or credit card processor.

    Keep in mind that SD-WAN statistics are based off the link monitor IP, so a better ping target may help you see better statistics there too.

    DNS servers can be OK as link-monitor ping targets, provided you're not using the same one for each external interface.

    -James Carson
    WatchGuard Customer Support

  • ITManager30ITManager30

    Got it. Thanks James.

Sign In to comment.