Windows Feature Update causing loss of internet access

We have a Firebox M200 and have been trying to troubleshoot a random loss of connection to the internet. Following some testing yesterday, we think the cause is something to do with Windows 10 feature updates (1903 from yesterdays test which caused the drop 4 times). This is only an issue when delivery optimization is set to download from the internet as if installed from a local machine using the peer delivery then it obviously won't be hitting the firebox. When we have the issue, we loose connection to the internet but it recovers a few minutes later. We are in touch with Watchguard Support but I'm interested to know if anyone else is having this problem or if anyone has found a solution to this?

Thanks in advance

Chris

Comments

  • You can set up Traffic Management actions to limit your HTTP & HTTPS from consuming 100% of your ISP download link.

    You can add HTTP & HTTPS policies for the following domains, and apply a Traffic Management action which will limit them from using 100% of your ISP download link.
    http://windowsupdate.microsoft.com
    http://.windowsupdate.microsoft.com
    https://
    .windowsupdate.microsoft.com
    http://.update.microsoft.com
    https://
    .update.microsoft.com
    http://.windowsupdate.com
    http://download.windowsupdate.com
    https://download.microsoft.com
    http://
    .download.windowsupdate.com
    http://wustat.windows.com
    http://ntservicepack.microsoft.com

    Define a Traffic Management Action
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/qos_trafficmanagement/traffic_mgmt_actions_define_11_9_c.html

  • Hi Bruce, we have done this already and limited the download speed and the Traffic Manager screen shows it's working but it's made no difference. During the Windows Update, our browsing isn't working (going slow first then total timeout) which I assume could be the proxy and if I turn off the machine that's updating, everything goes back to normal.

  • You can set a Traffic Management action which sets a max per IP addr and apply that to your HTTP & HTTPS policies.

  • "which I assume could be the proxy" has me thinking (and that can be truly scary!) that you have the Windows Update FQDNs going through HTTP/HTTPS proxies. I use an unrestricted packet filter to the Windows Update FQDNs and I have not seen your issue.

    I don't have any large clients, but I recently installed a new T35 at a client with ten Win 10 Pro computers on a 25/25 fiber line from Spectrum. They have no speed issues even when downloading the ISO using the media creation tool to do a fresh install or when clicking Check for Updates, which goes out to the Internet, I believe.

    If you are using a proxy, change to a filter for those FQDNs (put them into an alias to make life easy) and see what happens.

    Gregg Hill

  • @Bruce_Briggs said:
    You can set a Traffic Management action which sets a max per IP addr and apply that to your HTTP & HTTPS policies.

    Yes, this is what we are doing and the settings are being respected so it's not that causing the issue unfortunately.

  • @Greggmh123 said:
    "which I assume could be the proxy" has me thinking (and that can be truly scary!) that you have the Windows Update FQDNs going through HTTP/HTTPS proxies. I use an unrestricted packet filter to the Windows Update FQDNs and I have not seen your issue.

    I don't have any large clients, but I recently installed a new T35 at a client with ten Win 10 Pro computers on a 25/25 fiber line from Spectrum. They have no speed issues even when downloading the ISO using the media creation tool to do a fresh install or when clicking Check for Updates, which goes out to the Internet, I believe.

    If you are using a proxy, change to a filter for those FQDNs (put them into an alias to make life easy) and see what happens.

    Thanks Greggmh123, we are currently excluding the Windows Update addresses on the proxy as per this

    The method you are suggesting I don't think will respect the wildcard filters as far as I know?

    What we found yesterday which was very odd is that when we tested the feature update using a VM with 1 virtual core and 2GB RAM, the download worked and although we had some slowdown browsing (still not maxing the link speed), it did finish and installed ok. When I increased the resources on the VM to 3 cores and 4GB RAM, this slowed down the connection and finally dropped completely. Even during this time, the overall connection was not maxed out as we have the traffic management rules.

    It seems to be that something on the M200 can't cope with the load when running the download on a high spec device which is very odd if you ask me!

  • "The method you are suggesting I don't think will respect the wildcard filters as far as I know?"

    It works on my T35 running 12.5.2 U1.

    Gregg Hill

  • @Greggmh123 said:
    "The method you are suggesting I don't think will respect the wildcard filters as far as I know?"

    It works on my T35 running 12.5.2 U1.

    Thanks Greggmh123 - thats useful to know. I'll give it another go as when i tried last time, I was able to save the wildcard settings ok but they were ignored when looking at the traffic log. I must have missed something. I'll report back once I have tried this again.

  • Just to follow up, applying the rule to a packet filter does appear to work. I'm surprised we need to do this as the same exclusions are on the Proxy itself.

    Thanks for everyone's responses on this issue, it's been very helpful

  • The proxy still needs to check the packets' destinations and then decide not to inspect them, so maybe that added overhead is the problem.

    Gregg Hill

Sign In to comment.