Solved

Firebox keeps forgetting a route

Posted on 2012-03-26
12
2,124 Views
Last Modified: 2012-04-19
in Watchguard System manager > Status report

Routes
------------
Destination       Gateway           Flags  Metric Ref  Use Iface
192.168.16.0/24   192.168.11.6      UG     1      0      0 eth1

Open in new window


The route listed above has disappeared TWICE.

The second time I knew to look to see if the route was in place. The odd thing is that it showed in Networking > Routes, but not in the status report. I deleted it and re added it twice before it  appeared in the status report.

Both times this happened I'd recently made changes to VPN settings. Could that be related? What's going on?
0
Comment
Question by:SonicVoom
  • 6
  • 5
12 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 37771035
why do you think it is related to FF??
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37772834
What's FF?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37777706
Not sure if route disappearance has anything to do with VPN.

But did it happen that eth1 somehow got shut, unreachable or disconnected; that is the only reason why I think a route would disappear.
But then a route should appear back when the next-hop becomes available again.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37779214
I'm not convinced that the VPN settings are related. It's a pattern though.

So you're saying that if the route interface goes down, the route is logically removed. That makes sense. And when the interface is restored the route will be as well.

As far as I know, the interface hasn't gone down... would that mean it's actually been unplugged? The server attached to that port has been restarted in that time period.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37780001
If the server is directly connected to the WG firewall port through a cable then the port would go down when the server is restarted.
If the port is connected through a hub/switch then the port on WG would stay UP; irrespective that server is restarted or not.

Do you see any logs in traffic monitor when the route disappears.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37792267
It turns out that it'd been over a week since the server was rebooted before that happened.

Unfortunately, the log server is through the route that failed, so there's a big gap in the reports. Nothing before the gap refers to any routes. The surrounding few minutes are below:

2012-03-25 18:02:48	oss-daemon	dhcps_xpath_cb: Failed to parse WG API request
2012-03-25 18:02:53	oss-daemon	dhcps_xpath_cb: Failed to parse WG API request
2012-03-25 18:07:25	wgagent	:::::::::xpath:/profile/sslvpn-list/sslvpn[name:"SSL-VPN"], action:2, line:-1
2012-03-25 18:07:28	wgagent	:::::::::xpath:/profile/auth-group-list, action:1, line:-1
2012-03-25 18:07:29	wgagent	:::::::::xpath:/profile/interface-list, action:1, line:-1
2012-03-25 18:07:29	wgagent	Unfinished literal
2012-03-25 18:07:29	wgagent	Invalid expression
2012-03-25 18:07:29	wgagent	:::::::::xpath:/profile/abs-policy-list, action:1, line:-1
2012-03-25 18:07:31	wgagent	:::::::::xpath:/profile/alias-list, action:1, line:-1
2012-03-25 18:07:32	wgagent	:::::::::xpath:/profile/alias-list, action:1, line:-1
2012-03-25 18:07:33	wgagent	:::::::::xpath:/profile/policy-list/policy[name:'rww-00'], action:1, line:-1
2012-03-25 18:07:33	wgagent	:::::::::xpath:/profile/abs-policy-list/abs-policy[name:'rww'], action:1, line:-1
2012-03-25 18:07:34	wgagent	Unfinished literal
2012-03-25 18:07:34	wgagent	Invalid expression
2012-03-25 18:07:34	wgagent	:::::::::xpath:/profile/abs-policy-list, action:1, line:-1
2012-03-25 18:07:35	wgagent	:::::::::xpath:/profile/alias-list, action:1, line:-1
2012-03-25 18:07:36	wgagent	:::::::::xpath:/profile/alias-list, action:1, line:-1
2012-03-25 18:07:37	wgagent	:::::::::xpath:/profile/policy-list/policy[name:'Firebox SSLVPN Policy-00'], action:1, line:-1
2012-03-25 18:07:37	wgagent	:::::::::xpath:/profile/abs-policy-list/abs-policy[name:'Firebox SSLVPN Policy'], action:1, line:-1
2012-03-25 18:07:38	wgagent	Unfinished literal
2012-03-25 18:07:38	wgagent	Invalid expression
2012-03-25 18:07:38	wgagent	:::::::::xpath:/profile/abs-policy-list, action:1, line:-1
2012-03-25 18:07:39	wgagent	:::::::::xpath:/profile/alias-list, action:1, line:-1
2012-03-25 18:07:40	wgagent	:::::::::xpath:/profile/alias-list, action:1, line:-1
2012-03-25 18:07:41	wgagent	:::::::::xpath:/profile/policy-list/policy[name:'rdp over rww-00'], action:1, line:-1
2012-03-25 18:07:42	wgagent	:::::::::xpath:/profile/abs-policy-list/abs-policy[name:'rdp over rww'], action:1, line:-1
2012-03-25 18:07:42	wgagent	:::::::::xpath:/profile/service-list/service[name:'SSL-VPN'], action:2, line:-1
2012-03-25 18:07:43	wgagent	:::::::::xpath:/profile/service-list/service[name:'SSL-VPN'], action:2, line:-1
2012-03-25 18:07:49	spamd	statushdlr: invalid wgapi type for status
2012-03-25 18:07:49	networkd	unable to bind /profile/system-parameters/transparent-mode
2012-03-25 18:07:50	firewall	manager_main: Received restart command
2012-03-25 18:07:51	networkd	unable to bind /profile/system-parameters/wireless-radio
2012-03-25 18:07:51	networkd	unable to bind /profile/system-parameters/modem
2012-03-25 18:07:52	firewall	account_new: Skipping account element "Any" due to missing account name
2012-03-25 18:07:52	firewall	account_update: Failed to instantiate account "Any"
2012-03-26 08:41:21	dhcpd	DHCPDISCOVER from 00:1c:42:89:0f:e2 (prl1) via eth1
2012-03-26 08:41:22	dhcpd	DHCPOFFER on 192.168.11.9 to 00:1c:42:89:0f:e2 (prl1) via eth1
2012-03-26 08:41:25	dhcpd	DHCPDISCOVER from 00:1c:42:89:0f:e2 (prl1) via eth1
2012-03-26 08:41:25	dhcpd	DHCPOFFER on 192.168.11.9 to 00:1c:42:89:0f:e2 (prl1) via eth1

Open in new window

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 37796850
Logs do not indicate any unusual thing.

Has the issue happened again?
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37833878
It hasn't. I've also not configured anything VPN related.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37836114
Please take a maintenance window and configure VPN related thing and then it would be interesting to see if route disappears again! :)
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37863760
It happened again twice, and I knew it would.

I changed SSLvpn to force all traffic through tunnel. I applied changes and the route was lost. It was still listed in routes. I had to remove the route, save, then add the route back and save again.

Then I made another modification to SSLvpn settings and it happened again. I had to fix it the same way.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 37864174
As this issue is specific to your VPN config it is not a common issue and looks like to be specific to your system.

Please contact WG support as they would be able to dig the reason and solve it for you.

Sorry for not being able to help further.
0
 
LVL 2

Author Closing Comment

by:SonicVoom
ID: 37864553
Yes, this sounds like a peculiar issue, if not a bug. Thanks for hanging in there with me!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now