Problem after firmware update on a USG flex 500

Darryl

Ok... will do.  Will post results.
Thanks,
...Darryl

Darryl

Just an update... it's been three days without an outage since I made the changes you recommended.  Thank you!!!
...Darryl

Zyxel_James

Hello @Darryl,

It's glad to hear good news. Thanks for @PeterUK suggestion. Let's monitor it for one more week.

However, the diag-info shows the WAN connectivity check failed, resulting in the WAN interface was considered dead. To look into the root cause, we have to check the ping behavior, check if the device didn't accept the ping response from the target IP address, or anything else. Thank you.

James

PeterUK

Not able to pin point here but testing with no-ip.org and bounceme.net that have low TTL one odd thing was if I block DNS the last known ping IP's would still happen but at 30 seconds apart.

My setting was ICMP period 5 timeout 1 fail tolerance 2 with probe succeed any one

So next test @Darryl to try is to use DNS IP's by your ISP and see if that work.

Darryl

@James, I'm not quite following you here when you say:

 "To look into the root cause, we have to check the ping behavior, check if the device didn't accept the ping response from the target IP address, or anything else."

Which device?  The FW?  How would I do that... the logs roll pretty fast and furious when this happens, as connections can't be made outbound.

@PeterUK, One of the addresses I was trying to ping (not for the connectivity check, but when the event occurred, was the DNS IP address.  Normal conditions:   Minimum = 10ms, Maximum = 34ms, Average = 22ms pinging 75.75.75.75 just now.   I also tried pinging my first DNS address of 9.9.9.9 and get these timing results (just now)  Minimum = 9ms, Maximum = 38ms, Average = 25ms  

Traceroute of the first shows:
Tracing route to cdns01.comcast.net [75.75.75.75]over a maximum of 30 hops:
  1     1 ms    <1 ms    <1 ms  10.3.1.49  2    10 ms    12 ms    10 ms  96.120.28.69  3    10 ms     8 ms     9 ms  96.110.166.241  4     9 ms     9 ms     9 ms  be-32-ar01.area4.il.chicago.comcast.net [68.85.176.73]  5    13 ms    13 ms    11 ms  be-33-ar01.area4.il.chicago.comcast.net [68.85.177.85]  6    14 ms    19 ms    10 ms  ae100-ur02-d.area4.il.chicago.comcast.net [68.87.210.6]  7    10 ms    11 ms    10 ms  dns-sw02.area4.il.chicago.comcast.net [68.86.188.78]  8    10 ms    11 ms     8 ms  cdns01.comcast.net [75.75.75.75]

Traceroute of the second shows:
Tracing route to dns9.quad9.net [9.9.9.9]over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  10.3.1.49  2    10 ms    11 ms     9 ms  96.120.28.69  3    10 ms    10 ms    10 ms  96.110.166.241  4     9 ms     9 ms     9 ms  be-32-ar01.area4.il.chicago.comcast.net [68.85.176.73]  5    11 ms    11 ms    11 ms  be-33-ar01.area4.il.chicago.comcast.net [68.85.177.85]  6    11 ms    11 ms    10 ms  be-32241-cs04.350ecermak.il.ibone.comcast.net [96.110.40.61]  7    12 ms    11 ms    11 ms  be-2404-pe04.350ecermak.il.ibone.comcast.net [96.110.37.46]  8    11 ms    11 ms    11 ms  66.208.216.62  9    11 ms    10 ms    10 ms  dns9.quad9.net [9.9.9.9]

So one hop difference, similar times.

I use one DNS outside of my ISP incase their DNS fails (it's happened).  

...Darryl

PeterUK

I read you used devanno.com and comcast.net for the connectivity check? So my idea was try IP's only not domain name in case its a DNS to get the IP to ping problem.

PeterUK

Darryl said:

@James, I'm not quite following you here when you say:

 "To look into the root cause, we have to check the ping behavior, check if the device didn't accept the ping response from the target IP address, or anything else."

Which device?  The FW?  How would I do that... the logs roll pretty fast and furious when this happens, as connections can't be made outbound.

When you have no internet you could do a packet capture in diagnostic on the USG device for the WAN interface give it a min then open the capture files and check DNS and ICMP for the connectivity check in use. 

Darryl

@PeterUK Gotcha on both, thank you.  It's been a long week.  ;-)  Right now I have the connection check turned off, per your prior suggestions.  This weekend, when I'm going to be around I'll turn it back on using IP addresses as you suggest for said connectivity check.   Thanks again for your help and support!!!
...Darryl