Tag Archives: Ping

Watchguard XTM Firewall and UTM Appliance – High CPU Usage in the GAV (gateway anti-virus) scand process causes lag and typing delay in Remote Desktop Sessions (RDP) and SIP or VoIP latency issues

Watchguard XTM Firewall and UTM Appliance – High CPU Usage in scand process causes lag and typing delay in Remote Desktop Sessions (RDP).  You may find that remote users report a lag with Remote Desktop Sessions, freezing sessions, black screen and random disconnections.  At around the same time users report these issues you may find that the CPU usage of the scand process on your Watchguard has increased to 100% and the majority of the activity is attributed to the scand process.  You may be able to recreate this issue by browsing websites that utilise lots of Adobe Flash or Media Content as GAV will need to scan all these elements of the web page.  Login to the Watchguard System Manager and then open Firebox System Manager click on Status Report and scroll down the report until you find the Process List (Screenshot Below).  This information will automatically update every 30 seconds so you can see the %CPU column will change and update every 30 seconds.  The top value system shows the overall CPU utilisation and if you look further down you can see which sub processes are actually occupying the CPU time and making up the overall system usage.  In the screenshot below we can see that system is showing 100 % CPU Usage and then further down we can see that the scand process is accounting for 90.99% of this.  When the CPU Usage reaches 100% on the Watchguard unit it may stop forwarding other traffic and this accounts for the lag and jitter we see within the Remote Desktop Session.  Other time sensitive traffic such as VoIP or SIP traffic may also be affected by this issue as the packets are delayed whilst the Firewall recovers from the resource exhaustion.  Users may also report that web pages are slow to load at the time these issues occur where the GAV process is still dealing with the other requests.

Resolution/Workaround:

You can try disabling the GAV (gateway antivirus) for the HTTP and FTP Proxy to ensure that this is the actual cause of your issues, if the problem subsides then you may need to consider updating the XTM OS to the latest release i.e. 11.5.2 and/or adjusting the GAV policy so that it does not scan some content i.e. Images/Text within websites.  You may also need to consider opening a support case with Watchguard to make them aware of this issue, if you have a large number of users then you may even need to consider upgrading your XTM appliance to a larger unit i.e. XTM 23 to XTM 505 or XTM 22 to XTM330 to provide additional processing power (CPU) and system resources to cope with the additional anti-virus scanning requirements.

Watchguard XTM High CPU Usage scand
Watchguard XTM High CPU Usage scand

Microsoft Windows – Network Printer/s Unexpectedly Show Offline

When using Microsoft Windows (various editions and versions) you may find that your Network Printer Unexpectedly Shows Offline.  This can occur for a number of reasons and todays blog will try and help get you printing again.

First you should verify that you can ping the printer you are trying to print to, you can usually find the hostname or the IP address of the printer from the “Ports” tab of the printers “properties” page.

It should look something like this:

Printer Name or IP Address is where we can see which port the printer is trying to print to, we can then enter a “command prompt” by typing “cmd” into the “run” box and then type the ping command and the ip address or hostname of our printer.  Example is “ping 192.168.1.230” or “ping hpinkjetprinter”

If we do not get a response from the address or hostname then it could indicate that the printer has been assigned a different IP address (DHCP) by the server or your Router.  It could also indicate that the printer is turned off, the network cable is unplugged or damaged, if the printer is wireless it may be that the signal is no longer in range or that the wireless credentials it was setup with have been changed (WEP or WPA Key, SSID).  Many Servers or Routers support reservations so that you can ensure your printer always gets the same ip address, alternatively you can find the hostname of your printer and set the printer port to the hostname, if the ip address changes the computer should then still be able to resolve the hostname to the current and valid ip address of the device.

If your printer is responding to a ping command but you still cannot print then it may be an issue with the configuration of the printers “Standard TCP/IP Port” you will several options on the port configuration page that can effect your ability to submit a print job to the network printer, it may also cause the printer to incorrectly report that it is offline.

One particular issues that I have witnessed first hand is an HP OfficeJet Printer showing offline when the “SNMP Status Enabled” is ticked under the  “Standard TCP/IP Port” printer port configuration tab.  You may be able to ping the printer and access its web configuration but the printer will continue to show offline in Windows and print jobs will remian in the print queue.  Once the “SNMP Status Enabled” is unchecked the printer will appear online again and print correctly.

You amy also find that your printer only supports RAW or LPR mode, you can usually find further information on the “Protocol” that your printer supports via the technical manual or sometimes via the printers web configuration page.

Last but not least please remeber to check that you have the latest printer drivers from the manufacturers website, any firmware updates or software updates should also be installed to ensure the optimum performance and reliability of your product.  It is also important to remember that you should ensure the printer you are accessing is compatbile with your operating system and that driver support is either providd natively within Windows or the manufcaturer supply drivers via their website.

Watchguard – SSL VPN clients cannot resolve internal host names despite DNS servers being configured for the connection

You may find that when you configure your Watchguard XTM Firewall to accept SSL VPN connections that clients can connect to

the VPN and ping IP addresses of internal resources, however you cannot resolve internal hosts even via FQDN using DNS.  You

may also find that when you run NSLOOKUP on the SSL VPN connected client that the  result is your Internet Service Providers

DNS servers rather than the DNS servers assigned via the VPN connection.

 

To resolve the issue you can change your SSL VPN configuration from a “Routed VPN” to a “Bridge VPN”, the routed VPN uses a

virtual IP address pool (192.168.113.0/24) which does not match your internal IP range or the address range of the internal

DNS Servers.  When a Windows client connects to the “Routed VPN” it appears that due to the DNS server mismatch they are not

utilised by the client.

 

When you configure the VPN in “Bridge VPN” mode you can work around this issue, the Bridge VPN configuration allows you to

exclude some addresses from your Windows DHCP Server Pool and add the into them “Start” and “End” IP addresses on your

Watchguard SSL VPN Configuration Page. The Watchguard will now become responsible for assigning these internal IPs to VPN

clients as they connect rather than the Windows DHCP Server.

 

You should now find that when your SSL VPN clients connect that they are assigned an IP address and DNS server that are all

within the existing internal IP range of your network.  An NSLOOKUP should now return your internal DNS server address and

you should be able to ping hostnames and FQDNs that reside within your internal network.

 

Examples:

ping windowsserver

ping windowsserver.exampledomain.local

 

Please remember that the only down side with this configuration is that a “Bridge VPN” bridges to the “Trusted” interface,

this means that the client computer can access any internal resources that they have permissions for by default. A “Routed

VPN” allows you to offer traffic to Optional/secondary networks and gives you more control by letting you lock down access

using “Specify allowed resources”.