Tag Archives: XTM

11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 21, 22, 23, 505, 510, 520, 530, 810, 820, 830, CSP2, CSP2, CSP2, Watchguard, XTM

Watchguard XTM 2 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.4.2 – CSP2

21/01/2012 Stuart Davey

Watchguard XTM 2 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.4.2 – CSP2

11.4.2 – CSP2 Resolves the following issues:

BUG61923: Proxy cfm worker1 spinning under high load

BUG61924: Proxy cfm worker5 crash under high load

BUG61807: GAV job open failed with scand stack traces

BUG62104: Proxy cfm worker4 crash under high load

BUG61325: “Any (0.0.0.0/0)” option in WebUI is different than actual zero route configured in WSM

Improved TCP Selective ACK functionality added to proxies. The improved selective ACK should resolve reports of

large file downloads stalling for http and ftp without GAV or IPS in use. The Selective ACK improvements may also

help throughput through proxy policies on lossy networks with high latency. BUG60249, BUG42691, BUG60422,BUG39876,

RFE39150, BUG60943

You can request 11.4.2 – CSP2 from Watchguard Support by logging a support case online, they should then be able to provide an ftp download link and appropriate credentials.

Please note that Watchguard CSP releases are cumulative so you should only need to apply the latest to ensure that you also have any previous fixes.

11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 11.4.2, 21, 22, 23, 505, 510, 520, 530, 810, 820, 830, CSP1, CSP1, CSP1, Watchguard, XTM

Watchguard XTM 2 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.4.2 – CSP1

21/01/2012 Stuart Davey

Watchguard XTM 2 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.4.2 – CSP1

11.4.2 – CSP1 Resolves the following issues:

BUG61760: Authentication failing or slow with hundreds of Firebox DB authentication at same time

BUG62019: BOVPN tunnels would not establish after upgrade from 11.3.2 to 11.4.1 using IPSec Certificates

BUG61916: XTM1050 xt_session module fails to add session due to limit of 1000

BUG61009: 1-to-1 NAT with SIP-ALG not working properly

BUG59407, BUG62074: resolved several issues causing certificates to not sync properly when using FireCluster Active/Passive. Improper syncing resulted in missing certificates

BUG62352: iOS PPTP connection may fail when connected from a 3G line

You can request 11.4.2 – CSP1 from Watchguard Support by logging a support case online, they should then be able to provide an ftp download link and appropriate credentials.

Please note that Watchguard CSP releases are cumulative so you should only need to apply the latest to ensure that you also have any previous fixes.

11.5.1, 11.5.1, 11.5.1, 11.5.2, 11.5.2, 11.5.2, 21, 22, 23, FireBox, Watchguard, XTM

[RESOLVED] – Watchguard Fireware 11.5.1 – XTM 2 Series Appliance Locksup, Stops Responding to Login Requests and/or outbound traffic rejected

16/12/2011 Stuart Davey

Please be aware that Watchguard Fireware OS 11.5.1 and 11.5.2 have a very recently identified issue where by an XTM 2 Series unit will randomly not respond to Login requests and will not route outbound traffic. I have been informed by Watchguard support that this is still not fully resolved in 11.5.2 so we have had to downgrade many of our units to 11.4.2 to avoid them locking up and requiring a physical restart (pull power cord out). An updated release of 11.5.1 can now be requested from Watchguard support that should resolve the lockups. This updated 11.5.1 release is tagged as a debug build so other issues may be present. A CSP Service Pack release is due for 11.5.2 to resolve this issue and a permanant fix is expected to be in the 11.5.3 release of the XTM OS.

Please request Fireware XTM OS 11.5.2 – CSP1 Build # 338385 for the XTM 2 Series from Watchguard, this 11.5.2 CSP release resolves the lockups that were first introduced with 11.5.1.

Lockup Fixes included within 11.5.2 CSP1:

Multiple bug #s: changes to resolve file system writing error introduced in v11.5.1 on XTM 21-23 models. The file system error caused several problems such as; management access stops, wireless stops working, new connections through the Firebox may fail.

More detail can be found here http://aidinit.com/2012/03/watchguard-xtm-2-series-xtm-3-series-xtm-5-series-xtm-8-series-fireware-xtm-os-11-5-2-csp1-build-338385/

FireBox, Microsoft, SBS 2008, SBS 2011, Small Business Server 2008, Small Business Server 2011, SSL VPN, Watchguard, Windows, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista, XTM

Watchguard – SSL VPN clients cannot resolve internal host names despite DNS servers being configured for the connection

02/11/2011 Stuart Davey

You may find that when you configure your Watchguard XTM Firewall to accept SSL VPN connections that clients can connect to

the VPN and ping IP addresses of internal resources, however you cannot resolve internal hosts even via FQDN using DNS. You

may also find that when you run NSLOOKUP on the SSL VPN connected client that the result is your Internet Service Providers

DNS servers rather than the DNS servers assigned via the VPN connection.

To resolve the issue you can change your SSL VPN configuration from a “Routed VPN” to a “Bridge VPN”, the routed VPN uses a

virtual IP address pool (192.168.113.0/24) which does not match your internal IP range or the address range of the internal

DNS Servers. When a Windows client connects to the “Routed VPN” it appears that due to the DNS server mismatch they are not

utilised by the client.

When you configure the VPN in “Bridge VPN” mode you can work around this issue, the Bridge VPN configuration allows you to

exclude some addresses from your Windows DHCP Server Pool and add the into them “Start” and “End” IP addresses on your

Watchguard SSL VPN Configuration Page. The Watchguard will now become responsible for assigning these internal IPs to VPN

clients as they connect rather than the Windows DHCP Server.

You should now find that when your SSL VPN clients connect that they are assigned an IP address and DNS server that are all

within the existing internal IP range of your network. An NSLOOKUP should now return your internal DNS server address and

you should be able to ping hostnames and FQDNs that reside within your internal network.

Examples:

ping windowsserver

ping windowsserver.exampledomain.local

Please remember that the only down side with this configuration is that a “Bridge VPN” bridges to the “Trusted” interface,

this means that the client computer can access any internal resources that they have permissions for by default. A “Routed

VPN” allows you to offer traffic to Optional/secondary networks and gives you more control by letting you lock down access

using “Specify allowed resources”.

Aid In IT

Tag Archives: XTM

Watchguard XTM 2 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.4.2 – CSP2

Watchguard XTM 2 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.4.2 – CSP1

Watchguard – SSL VPN clients cannot resolve internal host names despite DNS servers being configured for the connection

IT – Software and Hardware Support Resources