The branch office was equipped with SOHO firewall behind the ISP router for few years and working fine and had never change the firewall configuration. In these two weeks we found the internet connection disconnected several times a day and the ISP router and modem has been replaced and still got the problem. I found out this is not the ISP router nor modem problem because I can ping the ISP router from outside when disconnection occured.
All internal PCs are installed with Symantec anti virus corporation v10.1 or endpoint protection v11.
I touch the surface of firewall and found no heating problem.
The firewall drop connection in a very short interval and all logs are clear when it can be connected again. I also found the firewall did not reboot because the VPN connection resume very fast . (if for rebooting, it will takes over 3 minutes to establish the connection). I notice the connection suddenly dropped because our terminal server session through VPN suddenly dropped off. But it can be resumed after reconnect using the terminal client again.
Anyone could help me on troubleshooting?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
thanks for yr help. dpk. When the connection drops, the reconnecting is automatic within a minute without any physical restart of the firewall. The internet use may not sense the disconnection when only on the internet but the VPN users with remote desktop connection to the server in remote site will sudden dropped off. They need to reconnect the remote desktop connection again.
here is the network statistics log after the disconnection and auto reconnect: The time is random, sometimes it can be up for few hours.
IP: Up for 38 minutes 7 seconds
Network Buffers Allocated/Total (0/10) Memory Total/Largest Block (667760/559312)
Sockets Allocated/Total (14/40) NAT Ports Avail (997)RAM Disk (47104)
Tx: packets (25015)
Rx: packets (32363) hdr Err(102) delivered (903)
reassemble (340)
forward (23985)
reassemble OK (169)
fragments fail (6)
So as I understand the connection to the ISP is dropping; did your ISP make any new changes? Also, what about the firmware, is it running latest firmware.
The problem I was saying it appears is not applicable to your situation as its not WG which runs out of NAT ports; but the connection to the ISP is dropping. Situation of inactivity timers kicking in is also ruled out because you have an active VPN session.
Is your connection PPPoE; can you at least capture the IP information as in is it that when the IP address on SOHO changes (if it is dynamic) the connection drops.
UP information which you listed; is it the device uptime, if yes, then it means that your box itself is rebooting.
I would need more information on what actually is happening.
Thank you.
The ISP does change the router and the modem as we suspected at first that this is due to their problem. However, we can still ping the ISP router from external when the internal connection to internet is suddenly dropped.
The Watchguard SOHO seem to link down and then immediately up on the internal ethenet port rather than reboot because it did not takes long to resume connection. (Usually reboot takes at least 2-3 minutes to resume connection).
memory pool exhausted: indicates the problem I was earlier thinking - NAT pool exhaustion
Your device is running out of NAT ports. Sorry, but I don't remember exactly but there is a hidden page in SOHO where you can see the machines and the ports utilized [the reason I thought it was not the case was because in the comment ID: 20520316; number of NAT ports was 997], I think the hidden page is:
http://internal-ip-address
or
http://internal-ip-address
[Request you to please confirm which is correct]
Opening this page would give you an option to see the machine IP address which are sending traffic out. With this you would be able to corner one machine which is responsible for eating all the NAT ports and is possibly affected by malware. Remove the said machine from network and then check; the problem should cease to occur.
You can clean the machine and then put it back to network and still the things should be good.
Please check and update.
Thank you.
Just 24 would not be too much of botheration; I think may be due to less traffic at this time you are not reaching the situation (NAT pool exhaustion); or may be the rogue machine is switched off; when the traffic is full you would see hundreds of connections initiated from the rogue machine. I think 5000 seconds is the default timeout for a session (though I am not 100% sure).
If you are running firmware version 6.1 or lower you would have 1000 NAT ports; if you are running 6.4 then you would have 7000 NAT ports.
So, the box with 6.4 would reach the situation later when compared to older firmware.
Thank you.
Same computer name would not cause the issue you are facing; I think you have SOHO5 [not SOHO6 as I was earlier thinking]; SOHO5 or SOHO as they are called would have only 1000 as max NAT ports. Same name can cause problems where NetBIOS/WINS is used; most networks run DNS; it would be a good idea to correct it though.
Please check the NAT port status when the problem occurs and that would give you good deal of information about the machines and their outbound connections.
It would be a good idea to keep two pages open for SOHO configuration; one showing the summary you posted earlier where you can see NAT ports and the other page showing hidden page info.
Thank you.
strange , this is the network statistics few seconds before the firewall reboot. Seems no exhausting on the firewall. And the debug page on NAT ports show only few connections. The firewall only up for 12 mins and reboot.
-----
Up for 12 minutes 11 seconds
Network Buffers Allocated/Total (2/10) Memory Total/Largest Block (718288/663968)
Sockets Allocated/Total (11/40) NAT Ports Avail (996)RAM Disk (47104)
Tx: packets (29463)
Rx: packets (42862) hdr Err(89) delivered (1187)
reassemble (1246)
forward (28369)
reassemble OK (621)
fragments fail (9)
If you have the firmware for the unit, try loading it again; or if possible, reset the unit to factory defaults and reconfigure it; the problem might be related to firmware/hardware. Did you have any storms or power surges after which the problem started; or all of a sudden problem started happening.
Before you reset the unit, it would be good to keep a backup of current configuration.
For creating backup of WG config, make sure ftp access to SOHO is enabled [From configuration select Firewall > Firewall Options; clear the check box adjacent to Do not allow FTP access to the Edge from the Trusted Network; click Submit to save your changes], then
1. Open command prompt window.
2. ftp to SOHO_internal_IP.
3. Enter the admin user name and password.
4. Switch to binary transfer mode by typing bin.
5. Do get wg.cfg
6. Type quit to close the FTP connection.
To restore a Backup Configuration File
In step 5 above do put wg.cfg instead of get. Please note you would need to restart your SOHO to force the changes to effect.
You can look at the following article from WG detailing the above procedure [please note you would need to have a valid username/password for WG website]:
https://www.watchguard.com
Thank you.
I think it has to do with traffic; as I said may be firmware on the unit has got something incorreclty written to it; so causing the problem; resettings the unit to factory defaults and reconfiguring should get rid of that.
The other things possible is that your network usage exceeds the capabilities of SOHO and that's the reason the problem is not seen in off hours. Upgrading the box would be a good option in such a case.
Thank you.
Default IP would be 192.168.111.1; username/password should not be there; you need to go the SOHO configuration page [system security] and configure yourself for username/password.
I would strongly recommend to create backup of the current configuration.
Reset procedure:
1. Disconnect the power on the SOHO.
2. Use a standard Ethernet patch cable to connect the WAN and 1 ports together.
3. Connect power to the SOHO.
4. The SOHO will turn on. Wait 90 seconds for the reset process to complete.
5. The MODE and ON lights will eventually flash simultaneously, indicating the process is complete
6. Disconnect the power from the SOHO.
7. Disconnect the Ethernet cable from the 1 and WAN ports.
Reconnect the power to the SOHO. The reset procedure is now complete.
Please note all your settings including VPN settings would be wiped off; please remember all the settings so you can configure them back.
Thank you.
Before I reload the firmware, I want to provide more info from the syslog :
16:11:24 MONIITOR: ipsec0: packet (5da2) faled with authentication failed, SPI=1350435840, src=125.215.184.201, dest=x.x.x.x, sa.saddr=x.x.x.x, sa.daddr=x.x.x.x
16:12:15 IP: entry duplicated 1 times @2007-12-28-16:20:36
16:12:29 MONIITOR: ipsec0: packet (6b81) faled with authentication failed, SPI=1350435840, src=125.215.184.201, dest=x.x.x.x, sa.saddr=x.x.x.x, sa.daddr=x.x.x.x
16:12:53 MONITOR: System memory pool exhausted @2007-12-28-16:11:38
16:12:55 MONITOR: somebody wanted a reboot @2007-12-28-16:11:40
any hint on above? Thanks
>> 16:12:53 MONITOR: System memory pool exhausted @2007-12-28-16:11:38
The SOHO is running out of memory, the memory required by the processes is more than what device can handle.
SOHO5 has been EOL for long, I think 2005 April (not sure), so even WG would not have public documents on upgrading physical memory (I am not sure if that is possible).
I think you had earlier also told me about the message; at that time I thought it was NAT pool; but now reading the messages it is clear system itself running out of memory and subsequently getting rebooted.
If you wish you can try resetting the unit and see if that makes any difference; otherwise, your networks would need a new device.
Thank you.
Business Accounts
Answer for Membership
by: dpk_walPosted on 2007-12-21 at 22:32:36ID: 20517905
What version of SOHO software you have, if you have SOHO6 make sure you have 6.4 (latest available) installed as it has 7000 NAT ports.
Sometimes if any of the machines on the internal network is affected by malware it can cause junk traffic on the network and traverse to the internet, consuming all the available NAT ports in the process. Checking machines that they are clean of malware would help.
I would like to know when the connection drops, does reconnecting brings the connection up or is there something more to be done; also, does the users on the internal loose internet connectivity when you loose connection.
Please check and update.
Than you.