Watchguard and Draytek - no internet access since Firebox upgrade

Chris Millard
Chris Millard used Ask the Experts™
on
We have two networks:-

192.168.1.x is connected to a Firebox x550e
192.168.2.x is connected to a Draytek Vigor 2910

There is a VPN between the Firebox and the Vigor 2910. The external IP of the Firebox is 192.168.0.53 and the external IP of the Draytek is 192.168.0.54. Both units send their internet traffic through gateway 192.168.0.2

Up until yesterday, the Firebox was on OS 10.2.8(dwn). Both networks could access each other through the VPN tunnel, and both networks could get internet access.

Last night, I upgraded the Firebox to it's latest OS - 11.3. Now, both networks can access each other, the 192.168.1.x network can access the internet, but the 192.168.2.x network no longer gets any internet access and I don't understand why since the internet traffic doesn't (or at least shouldn't) go through the tunnel at all...

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
I am assuming that you rebooted the Draytek?
Yes I did...

Commented:
Have you pinged ...
The Draytek?
Google?
Google's IP 173.194.33.104

This could be a DNS issue. Where is the DNS server located?
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

I can ping everything on both networks, and the external IPs of the Firebox and Drayek without problem. DNS resolution is working OK. I cannot ping any internet IP addresses (but only from the 192.168.2.x network). To add to this, because I can't leave this network without internet indefinitely, I have downgraded the Firebox back to OS 10.2.8(dwn) and once again, the internet access is working - so there must be something that OS 11.x is causing, or some change in the configuration that takes place during the upgrade.

Commented:
Odd... What device is connected to the WAN
There is a router in another building. I'm not sure what make / model, but I can ping it from both networks. I am now just wondering if something in the 11.x OS is forcing internet traffic down the VPN tunnel by mistake

Commented:
That is a possibility. You may want to rebuild the VPN on 11.3 to make sure that settings were not altered in the upgrade. All of our clients have liked 11X OS.

One other note, if you would like more specifics on this, seeing as you were able to update your Firebox, it means that you have call in support with Watchguard. You may find a solution faster by calling and waiting on their callback. There doesn't sound to be obvious reasons for this and since you have found it to happen from the upgrade, they would know best about some of the changes.
The Firebox has had all of the policies rebuilt from scratch, and the problem still persists in 11.x but again, if I downgrade to 10.2.8dwn, everything works again!

I haev logged a call with Watchguard, but their support has not been very forthcoming!
Roy,

Did you get this resolved? We are trying to get a VPN working between a draytek and an 11.3 based watchguard 505 and i wonder whether it's a watchguard firmware issue.

Olly
I never got it resolved. I had to downgrade the Watchguard firmware to get it to work...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial