Operational Defect Database
BugZero found this defect 24 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA1Vr0000001XpxKAE
WebBlocker Cloud Server connection fails with reason: "Resolving timed out after 15000 milliseconds"
Last update date:
4/25/2024
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.10.x
Fixed releases:
All
Description:
Issue
Fireware v12.10.3 updates the agent the Firebox uses to contact the WebBlocker Cloud Server. The updated agent performs a dual-stack DNS query that requests both the IPv4 A and IPv6 AAAA records for rp.cloud.threatseeker.com. If your Firebox is configured to use DNS servers that do not support dual-stack DNS queries or do not respond to IPv6 AAAA records, the Firebox might be unable to contact the WebBlocker Cloud Server and you might see errors that indicate DNS resolution timed out. Example log messages: 2024-04-24 12:18:25 webblocker[2671]: categorize_url: curl returned error: Resolving timed out after 15000 milliseconds 2024-04-24 12:18:25 Deny 10.0.1.1 142.251.215.227 https/tcp 63161 443 Trusted External ProxyDrop: HTTPS service unavailable (HTTPS-proxy-00) HTTPS-Client.Standard.Out proc_id="https-proxy" rc="594" msg_id="2CFF-0002" proxy_act="HTTPS-Client.Standard.Out" error="Webblocker server is not available" action="WBtest" cats="" dstname="google.ca" geo_dst="USA" Traffic If your system is affected, you will not see outbound connections to rp.cloud.threatseeker.com (the WebBlocker Cloud Server). Firebox DNS diagnostics will successfully resolve rp.cloud.threatseeker.com.
Workaround/Solution
If you encounter a "curl returned error: Resolving timed out after 15000 milliseconds" error, verify that your Firebox DNS servers are configured to respond to AAAA record DNS lookups. You cannot perform AAAA record DNS lookups from the Firebox diagnostic tools. From a system behind the Firebox, make two DNS queries with nslookup - one query for an IPv6 record, such as google.com, and one query for rp.cloud.threatseeker.com. nslookup -type=AAAA google.com <IP address of DNS server> nslookup -type=AAAA rp.cloud.threatseeker.com <IP address of DNS server> If both DNS queries timeout, the Firebox cannot use the DNS server you queried. If the google.com query returns an IPv6 address and the rp.cloud.threatseeker.com query does not return an SRVFAIL or timeout response, the Firebox can use the DNS server. After you find a compatible DNS server, update the DNS servers for your Firebox.
