Major issues after upgrading to 12.5.2
Hi all,
We have 3 sites, two with M370 and one with T55.
Last night we updated our M370's from 12.3.1 to 12.5.2
Everything seemed fine (did upgrades remotely), but then started getting calls internet was down.
After digging into it, it seemed to be a routing issue.
The way we've been setup is we have a HP layer 3 switch acting as our main router, with separate vlan's for servers, voip, printers, workstation, wifi, etc..
So with example IP's:
HP is 10.1.0.1 /22 on server VLAN
10.2.4.1 /22 on workstation VLAN
Watchguard is 10.1.0.250.
gateway on each vlan on the HP switch pointed to the WG 10.1.0.250 address
This has been working fine for 10+ years.
After we did the upgrade, none of the VLAN's could route, just server vlan was working (which is why we didn't notice an issue right away).
We tried creating allow any rules, didn't help.
We eventually just moved the gateway for each vlan to be the WG's IP on that vlan, which got us up and running.
We talked to another business with a similar setup to us, they ran into the exact same issue last month when they upgraded. WG support was unable to help them, other than doing the same thing we did with moving the routing onto the WG instead of the switch.
Is there some new feature or setting we missed in this upgrade that may have caused this? We had just replaced our old XTM 5 series devices a few weeks ago with these M370's, which is why our M370's were on an older version.
Comments
no, we had to disable a couple PBR policies we had setup on the old 5 series devices when we swapped them to the M370's, never bothered setting up the equivalent SDWAN afterwards, the PBR stuff was just for test.
An update, it seems like the firewall is not matching traffic properly. The first thing I did troubleshooting this morning was creating an "ANY" rule, allowing traffic from any-trusted to any-trusted, that is set to allow, and is rule#1 in priority.
Yes in the WG logs, we see a line like:
2020-02-20 12:55:12 10.1.0.1 10.1.0.250 33438/udp 5552 33438 104-Workstation Firebox Denied 30 2 (Unhandled Internal Packet)
So looks like the WG is blocking traffic from our switch. We do no 'apply firewall policies to intra-vlan traffic' enabled on any of the vlans.
Even more odd, we can ping from the switch to the WG, but can't trace route (thats the UPD being blocked up there).
So an any policy with any-trusted on the to/from doesn't work, but an any policy with specific host IP's listed does work.
10.1.0.1 is Firebox, not really Trusted
You should open a support incident.
The SD-WAN article:
Inbound NAT policies that include SD-WAN actions or policy-based routing
https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g2kmSAA&lang=en_US
How old is the HP Switch?
Adrian from Australia
In one site it's a E3800 stack of 4x48 ports.
In other site it's a 8212zl with a bunch of different modules in it.