Questions

My firewall keeps dropping the LAN Connection

+
0 Votes
Locked

My firewall keeps dropping the LAN Connection

Diego
We recently setup a windows 2003 SBS domain for an office of about 20 users. The next step in the project was to setup their VPN so their branch offices could connect. We used a Netgear FVS338 firewall router. We have used this firewall for other client's domains before and never had a problem. But in this case we have had nothing but mind bending issues. The Netgear is configured with the service provider's (Deltacom) Static IP and DNSs, Everytime we put the firewall in, it works perfectly fine for a few days, and then it suddenly gets slow and it brings the Local area connection down. We can login to the firewall's web config but the client computers can't access the web. We've RMA'ed the firewall 3 times, with the same issue at varying degree's of severity each time. We've upgraded the firmware several times and currently has the most update to date version. No netgear technician has been able to help me out, and the technicians at Deltacom say the modem is configured correctly to work with the firewall. My boss and I are stumped. I disabled any local firewall or security software on the client's computers to no avail. Any suggestions on this matter would be GREATLY appreciated. Thanks.
  • +
    0 Votes
    CG IT

    need more information on how the SBS box is setup.

    +
    0 Votes
    Diego

    Are you asking for specs on our server or the firewall?

    The Server is a custom built Full ATX tower with dual Xeons and two Gbs of ECC Ram. It runs Windows 2003 SBS, Exchange, and Norton Groupware. We set it up in a small storage room hooked into a switch that is fed by the Netgear FVS338 which is bridged with an Altel voice and data modem, We have a partial T1. We configured the Netgear firewall with a static IP, and DNS addresses from our ISP, Deltacom. Whenever the office loses connectivity to the web, we can still log in to the Netgear from a remote location. Deltacom says our modem has been connected and online for about a year according to the log. We have to reboot the Netgear to reestablish. Eventually we replace the Netgear with their old Linksys wireless router and it stays connected reliably. Is there anything else you need to know? Thanks for your consideration.

    +
    0 Votes
    Zen37

    Is the device connected to a UPS? If yes, have you tried without, if no have you tried with one? How is the temperature in the room where the equipment located? Is there adequate AC?

    The obvious is, have you tried a different cable? Is there a switch between the router and your firewall? Have you tried a different router from your Internet supplier?

    when the problem occurs, are all interfaces still up? Any errors on the interfaces? Have you tried sniffing the traffic while the problem occurs?

    +
    0 Votes
    Cfaulk

    sbs2003 & NETGEAR fvs338 VPN Firewall dropping the Comcast WAN link.

    I have RMA's the router and gotten a new one. I have also experimented with the various Flash ROM images from netgear.

    Nothing seems to work...Except power cycling the netgear FVS338 each time the clients are unable to get out on the internet.

    I doubt I will ever buy another netgear product or implement it for any customers in the future.

    I will say when it goes down. I am still able to ping the Netgear's internal Lan port on 192.168.1.1 but thats as far as it goes.

    +
    0 Votes
    Zen37

    You know, can you put a switch between your ISP router and your firewall. See if the link still fails and if so, which one, the one with the firewall or the one with the router. If this is Layer 1 or 2, this will determine the culprit.

    +
    0 Votes
    Diego

    In my case I'm pretty much positive the link fails with the firewall. Like I mentioned before, whenever the clients cannot get internet, we can still log in to the firewall remotely, and according to our service provider, who logs in and checks the log file of their router, it has been connected for 360 something days. Any ideas?

    +
    0 Votes
    Cfaulk

    There seems to be no logic to why the LAN loses outside access to the comcast WAN. I have done tracert & Ping from a client machine when the i-net goes down. I can ping anywhere on the LAN including the internal NEtgear port 192.168.1.1. But thats as far as it goes. I also have spoken with Comcast and they stated the same same thing your ISP did in terms of awesome uptime availablity.

    It is the NETGEAR ROUTER. Unplug it an plug it back in...network is fine within a minute.

    I will NEVER purchase another netgear product as long as I'm alive. The Manual to setup VPN with the FVS338 is a joke. I spent over 18 hours on the phone over 3 months having them "attempt" to setup 3 users VPN profiles.Its the least intuitive VPN I have ever had the displeasure of purchasing and configuring.

    I also RMA's the original equipment. Changed out Cat5e cables. Played with every single flash OS image and still without reason....the connection drops.

    If you find out anything let me know.. I think I will post on experst exchange... I will let you know what i find out.

    Peace, Chris

    +
    0 Votes
    Diego

    I also did the same thing, upgraded firmware like three times, had the netgear "engineers" log in and configure the VPN, all to no avail.
    We are now purchasing a Symantec gateway VPN firewall. I will post back on the results.

    +
    0 Votes
    henric

    I had the same issue with an FVS338 and an SB5120 cable modem. Heavy bidirectional traffic would almost always trigger it. I placed a hub between the modem and the router to see what was going on with a sniffer, but found that the problem went away. Anyway, if I were to make a guess something nasty related to Ethernet flow control is going wrong... (If it was simply an issue of bidirectional traffic tickling a driver bug, a hub should not change that.) I remember playing with forcing the link to 10 or 100M instead of using auto, but it did not help. I started contacting Netgear, but since the hub solved my problem I never followed through (and I didn't have anything else to do with a huge 5 port hub). I'd imagine a switch should work just as well.

    Another thing to try: force a link negotiation by, for example, unplugging/replugging the Ethernet cable.

    +
    0 Votes
    cerireid

    Hi, I gather you haven't had any useful replies on this (surprise!). We've been running an FVS338 for about a year. We're not using NAT (which I think may be significant - just a hunch). Over the past year, every time I enable DHCP on the device, it periodically (about once a week, on average) locks up or provides a very very slow internet connection. When I run DHCP on my Windows 2000 Server, the FVS 338 never locks up, so my guess is the DHCP is behind it all.
    The stuff about idle timeouts and hardware watchdogs in other posts doesn't help. The problem isn't anything to do with idle timeouts, and there is no hardware watchdog on the device.
    So if you're using the DHCP server capabilities of the device (and why wouldn't you be?), my only constructive suggestion would be to use some other network device as DHCP server. You'll need to be able to configure the gateway to be the FVS338, though - but the DHCP server on Win2k server can do this (but has problems of its own...).

    Hope this helps.

  • +
    0 Votes
    CG IT

    need more information on how the SBS box is setup.

    +
    0 Votes
    Diego

    Are you asking for specs on our server or the firewall?

    The Server is a custom built Full ATX tower with dual Xeons and two Gbs of ECC Ram. It runs Windows 2003 SBS, Exchange, and Norton Groupware. We set it up in a small storage room hooked into a switch that is fed by the Netgear FVS338 which is bridged with an Altel voice and data modem, We have a partial T1. We configured the Netgear firewall with a static IP, and DNS addresses from our ISP, Deltacom. Whenever the office loses connectivity to the web, we can still log in to the Netgear from a remote location. Deltacom says our modem has been connected and online for about a year according to the log. We have to reboot the Netgear to reestablish. Eventually we replace the Netgear with their old Linksys wireless router and it stays connected reliably. Is there anything else you need to know? Thanks for your consideration.

    +
    0 Votes
    Zen37

    Is the device connected to a UPS? If yes, have you tried without, if no have you tried with one? How is the temperature in the room where the equipment located? Is there adequate AC?

    The obvious is, have you tried a different cable? Is there a switch between the router and your firewall? Have you tried a different router from your Internet supplier?

    when the problem occurs, are all interfaces still up? Any errors on the interfaces? Have you tried sniffing the traffic while the problem occurs?

    +
    0 Votes
    Cfaulk

    sbs2003 & NETGEAR fvs338 VPN Firewall dropping the Comcast WAN link.

    I have RMA's the router and gotten a new one. I have also experimented with the various Flash ROM images from netgear.

    Nothing seems to work...Except power cycling the netgear FVS338 each time the clients are unable to get out on the internet.

    I doubt I will ever buy another netgear product or implement it for any customers in the future.

    I will say when it goes down. I am still able to ping the Netgear's internal Lan port on 192.168.1.1 but thats as far as it goes.

    +
    0 Votes
    Zen37

    You know, can you put a switch between your ISP router and your firewall. See if the link still fails and if so, which one, the one with the firewall or the one with the router. If this is Layer 1 or 2, this will determine the culprit.

    +
    0 Votes
    Diego

    In my case I'm pretty much positive the link fails with the firewall. Like I mentioned before, whenever the clients cannot get internet, we can still log in to the firewall remotely, and according to our service provider, who logs in and checks the log file of their router, it has been connected for 360 something days. Any ideas?

    +
    0 Votes
    Cfaulk

    There seems to be no logic to why the LAN loses outside access to the comcast WAN. I have done tracert & Ping from a client machine when the i-net goes down. I can ping anywhere on the LAN including the internal NEtgear port 192.168.1.1. But thats as far as it goes. I also have spoken with Comcast and they stated the same same thing your ISP did in terms of awesome uptime availablity.

    It is the NETGEAR ROUTER. Unplug it an plug it back in...network is fine within a minute.

    I will NEVER purchase another netgear product as long as I'm alive. The Manual to setup VPN with the FVS338 is a joke. I spent over 18 hours on the phone over 3 months having them "attempt" to setup 3 users VPN profiles.Its the least intuitive VPN I have ever had the displeasure of purchasing and configuring.

    I also RMA's the original equipment. Changed out Cat5e cables. Played with every single flash OS image and still without reason....the connection drops.

    If you find out anything let me know.. I think I will post on experst exchange... I will let you know what i find out.

    Peace, Chris

    +
    0 Votes
    Diego

    I also did the same thing, upgraded firmware like three times, had the netgear "engineers" log in and configure the VPN, all to no avail.
    We are now purchasing a Symantec gateway VPN firewall. I will post back on the results.

    +
    0 Votes
    henric

    I had the same issue with an FVS338 and an SB5120 cable modem. Heavy bidirectional traffic would almost always trigger it. I placed a hub between the modem and the router to see what was going on with a sniffer, but found that the problem went away. Anyway, if I were to make a guess something nasty related to Ethernet flow control is going wrong... (If it was simply an issue of bidirectional traffic tickling a driver bug, a hub should not change that.) I remember playing with forcing the link to 10 or 100M instead of using auto, but it did not help. I started contacting Netgear, but since the hub solved my problem I never followed through (and I didn't have anything else to do with a huge 5 port hub). I'd imagine a switch should work just as well.

    Another thing to try: force a link negotiation by, for example, unplugging/replugging the Ethernet cable.

    +
    0 Votes
    cerireid

    Hi, I gather you haven't had any useful replies on this (surprise!). We've been running an FVS338 for about a year. We're not using NAT (which I think may be significant - just a hunch). Over the past year, every time I enable DHCP on the device, it periodically (about once a week, on average) locks up or provides a very very slow internet connection. When I run DHCP on my Windows 2000 Server, the FVS 338 never locks up, so my guess is the DHCP is behind it all.
    The stuff about idle timeouts and hardware watchdogs in other posts doesn't help. The problem isn't anything to do with idle timeouts, and there is no hardware watchdog on the device.
    So if you're using the DHCP server capabilities of the device (and why wouldn't you be?), my only constructive suggestion would be to use some other network device as DHCP server. You'll need to be able to configure the gateway to be the FVS338, though - but the DHCP server on Win2k server can do this (but has problems of its own...).

    Hope this helps.