Operational Defect Database
BugZero found this defect 2853 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3hGSAQ
Firebox loses connectivity after a reboot when the branch office tunnel name includes a space and broadcast routing is enabled
Last update date:
7/27/2016
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.11.x
11.11.1
Fixed releases:
All
Description:
Issue
If your Firebox configuration includes a branch office VPN with a space in the tunnel name, and Enable broadcast routing over the tunnel is selected on a tunnel route, the Firebox loses all network connectivity after a reboot. Although the Firebox appears to have crashed, it is accessible through the console. This issue occurs with Fireware OS v11.11.1. To recover (if you have a saved configuration file) Reset the Firebox. To learn more, see Reset a Firebox.Run the Quick Setup Wizard to create a basic configuration file. To learn more, see Run the WSM Quick Setup Wizard.Use Policy Manager to upload your saved configuration file to the Firebox.Do one of the following: Delete the VPN tunnel from the Firebox and recreate it without a space in the name, orDisable broadcast routing for all tunnel routes. To recover (if you do not have a saved configuration file) You must use the command line interface (CLI) to delete the tunnel route. Connect your computer to the Firebox console port. See the hardware guide for your Firebox for more information.Set up PuTTY or another terminal emulator to use these serial settings: Speed: 115200Data bits: 8Stop bits: 1Parity: NoneFlow Control: None Use your terminal emulator to connect to the Firebox. The WG# prompt appears.Type config to enter command mode.Type policy to enter policy mode.Type show bovpn-tunnelto list the configured BOVPN tunnels.Use the no bovpn-tunnel command to remove the tunnel that has a space in the name. To delete this tunnel, you must enclose your tunnel name in quotation marks. For example, if your tunnel is named test tunnel, type no bovpn-tunnel "test tunnel"Type apply.Type exit.Type exit.Type reboot.Use either the CLI or Web UI to re-add the tunnel without a space in the name. Here is an example of how to use the CLI to remove a tunnel called test tunnel:login as: adminUsing keyboard-interactive authentication.Password:---- WatchGuard Firebox Operating System Software.-- Fireware XTM Version 11.11.1-- Support: https://www.watchguard.com/support/supportLogin.asp-- Copyright (C) 1996-2015 WatchGuard Technologies Inc.--WG#configWG(config)#policyWG(config/policy)#show bovpn-tunnel---- Total 1 BOVPN Tunnel(s)--Tunnel Name Gateway Nametest tunnel test.gatewayWG(config/policy)#no bovpn-tunnel "test tunnel"WG(config/policy)#applyWG(config/policy)#exitWG(config)#exitWG#rebootReboot (yes or no)? yesRebooting...............
Workaround/Solution
If you have not yet rebooted the Firebox and still have connectivity, you can take steps to avoid this issue. You have two options: Delete the VPN tunnel from the Firebox and recreate it without a space in the name, orDisable broadcast routing for all tunnel routes. To disable broadcast routing: In Fireware WebUI, select VPN > Branch Office VPN. The Branch Office VPN page appears.Under Tunnels, select a configured VPN tunnel.Click Edit.Under Configure tunnel routes for the tunnel, select a configured tunnel route.Click Edit.If the Enable broadcast routing over the tunnel checkbox is selected, clear it. Click OK. Repeat Steps 4–7 for each configured tunnel route. Click Save to confirm the change to the VPN tunnel. Repeat Steps 2–8 for each configured VPN tunnel. After you confirm that Enable broadcast routing over the tunnel is not selected on any VPN tunnel, you can safely reboot the Firebox.
