[fw-wiz] Watchguard V60 capacity
From: User Scarr (scarr_at_ineocom.com)
To: email@example.com Date: Tue, 22 Jul 2003 11:48:49 -0400
I'm wondering if anyone else on this list actively uses Watchguard
Vclass units, and has run into some of the same "challenges" we have
with them. We're using them to firewall a fairly active client with a
good amount of web and SMTP traffic. We've got two of them in HA.
What I'm hoping for (more than a rant session) is that someone has
found some working solutions, or at least has the same issues we do. I
suspect a fair number of these are Watchguard bugs, but I don't want to
pay $250 each for the privilege of reporting them...
Some of the biggies at the tip of the iceberg;
- Packet loss. I've identified the Watchguard Vclass units as the
center of between 1% and 10% packet loss on a regular basis (ruling out
switches and routers and even cables, which has been a bit of a
process). Watchguard's support has suggested that I lower a connection
idle timeout setting in debug mode from 3 minutes to 1 minute, which
sounds reasonable, but I haven't tried it yet (production hours).
- High availability syncing. I've seen this on other HA devices, but
never like this. The HA constantly complains that it can't sync, even
though it does, and manual sync attempts (when editing or adding
policies) seem to freeze the units, adding to the packet loss. The HA
is fairly seamless though when it does happen, so they get points there.
- The built in load balancing. I know I know, I should probably get
an independent device to handle the LB. The load balancing seems to
freeze at random, and I end up with error messages in the logs like;
"The load balancing server 0.0.0.0 is not responding". Of course,
there's no server specified with that address. I'm using weighted
least connections between two SMTP servers running Postfix.
I've used Netscreen, and to a lesser extent PIX devices in the past
(and a few free software firewalls like IPFW and iptables / ipchains,
etc), so the number of and severity of recent troubles I've had with
these is a new experience for me. I have a feeling a lot of the
problems are due to load, but since Watchguard boasts up to 200Mbps
throughput (with the units in active/active HA) I can't imagine our
7Mbps spikes are causing them any heartburn.
Any thoughts, etc?
-- Simon Carr Ineocom Technologies Inc. http://www.ineocom.com/ _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards