Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Fixed my WAN connection failover problem tonight

By Andrew Pollack on 11/01/2011 at 09:36 PM EDT

For the last couple of weeks, my WAN connection here has been failing over from the Cable Modem to the backup DSL connection pretty frequently and the root cause has left me baffled.  Until tonight.

The failover is handled by my trusty old Sonicwall TZ-170 firewall.  It handles both the cable and dsl connections and can handle load balancing and failover.  For me, this combination makes sense since my public facing servers are all located at hosting centers so there's no need for a commercial network connection here. The total cost to have two different consumer grade connections isn't bad, and the reliability I get with the fail-over is worth it.


The problem has been that for the last couple of weeks, the faster cable connection has been periodically failing for no visible reason. Tests show me that the link is good, and if reboot the firewall it goes back to being happy...for a while. This configuration has been stable and reliable for a long time so it really had me scratching my head. It turns out that the answer was right there in the words "Trusty Old Sonicwall". The system had been reliable and stable, so I'd had no reason to look into updated firmware and it completely slipped my mind for the last several years.

You may remember that in 2007 we changed the date on which we switch the clocks for Daylight Savings Time. Well, I'd been lax in updating that trusty old Sonicwall and it was using the old dates. For the last few weeks, it's been off by one hour. When the system boots, it makes a brand new DHCP request and gets an address, then every few hours, it issues a DHCP "RENEW" transaction so that the address remains valid. When the DHCP RENEW transaction hit the provider's DHCP server, it had a timestamp that was off by an hour and was ignored. The firewall decided that since it couldn't renew its address, it had to invalidate that network port. Failover occurred.

I was able to test this theory by turning off the NTP (Network Time Protocol) settings and manually set the time on the firewall. Once I validated the fix, I went out and got an updated firmware for the TZ-170 and all is well.



There are  - loading -  comments....



Other Recent Stories...

  1. 11/10/2014Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoI went through the process to understand what IBM is saying in their patch information -- and while it's valid, it's also harder than it needs to be (IMCO) for people already used to doing things the Domino way. If you're already familiar with using the server certification database to create the keyring and make the certificate request certificate (CSR) you can keep using it. This is also helpful if you already have a SHA1 based certificate and you just want to re-issue. Note: This resolves the browser ...... 
  2. 11/04/2014Warning: IBMs Interim Fix adding TLS 1.0 to Domino can break connections from Python and some other scripting clientsHere's a bit of joy to add to your day. Once your server can speak TLS 1.0 to help secure you from POODLE attacks, any code making connections to your server over HTTPS that use the utilities wget, curl and most importanly Python (and others, apparently) may break. The issue is that these tools are built using a version of openSSL that will try to connect using TLS 1.2 first -- and when that fails, the connection gets dropped. I've seen reports of this in Ruby as well, but I've verified that it is an issue ...... 
  3. 11/04/2014Patch for the SSL v3 POODLE exploit has escaped IBM and can now be downloaded. You REALLY need this patchIf you do not apply this patch, you are going to start having users unable to connect using SSL to your Domino servers. Vendors and customer sites are starting to release operating system and browser patch that block access to sites using only SSLv3 without TLS. Until this morning, that meant all Domino servers not using a reverse proxy front end of some kind. This patch adds TLS 1.0 to Domino versions 8.51, 8.52, 8.53, 9.0, and 9.01 in all the various platforms. TLS 1.0 is a fairly old version of TLS but ...... 
  4. 10/29/2014Automatic Spam Report to Provider Agent 
  5. 10/21/2014Quick update on the Domino SSL v3 "POODLE" , TLS, and SHA-2 issues -- Good news 
  6. 10/16/2014Summary Recommendation for dealing with the POODLE SSLv3 Vulnerability on Domino servers 
  7. 10/14/2014Speaking tonight ath the ICU One (aka NE Notes Users Group) 
  8. 10/09/2014Presentations from AdminCamp 2014 
  9. 09/17/2014IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEM 
  10. 02/09/2014Changing what I do at the Fire Department 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.