[fw-wiz] Watchguard V60 capacity

From: User Scarr (scarr_at_ineocom.com)
Date: 07/22/03

  • Next message: Tony Miedaner: "[fw-wiz] ISPs with more secure networks???"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 22 Jul 2003 11:48:49 -0400

    Hey all,

            I'm wondering if anyone else on this list actively uses Watchguard
    Vclass units, and has run into some of the same "challenges" we have
    with them. We're using them to firewall a fairly active client with a
    good amount of web and SMTP traffic. We've got two of them in HA.
    What I'm hoping for (more than a rant session) is that someone has
    found some working solutions, or at least has the same issues we do. I
    suspect a fair number of these are Watchguard bugs, but I don't want to
    pay $250 each for the privilege of reporting them...

    Some of the biggies at the tip of the iceberg;

            - Packet loss. I've identified the Watchguard Vclass units as the
    center of between 1% and 10% packet loss on a regular basis (ruling out
    switches and routers and even cables, which has been a bit of a
    process). Watchguard's support has suggested that I lower a connection
    idle timeout setting in debug mode from 3 minutes to 1 minute, which
    sounds reasonable, but I haven't tried it yet (production hours).

            - High availability syncing. I've seen this on other HA devices, but
    never like this. The HA constantly complains that it can't sync, even
    though it does, and manual sync attempts (when editing or adding
    policies) seem to freeze the units, adding to the packet loss. The HA
    is fairly seamless though when it does happen, so they get points there.

            - The built in load balancing. I know I know, I should probably get
    an independent device to handle the LB. The load balancing seems to
    freeze at random, and I end up with error messages in the logs like;
    "The load balancing server is not responding". Of course,
    there's no server specified with that address. I'm using weighted
    least connections between two SMTP servers running Postfix.

            I've used Netscreen, and to a lesser extent PIX devices in the past
    (and a few free software firewalls like IPFW and iptables / ipchains,
    etc), so the number of and severity of recent troubles I've had with
    these is a new experience for me. I have a feeling a lot of the
    problems are due to load, but since Watchguard boasts up to 200Mbps
    throughput (with the units in active/active HA) I can't imagine our
    7Mbps spikes are causing them any heartburn.

    Any thoughts, etc?


    Simon Carr
    Ineocom Technologies Inc.
    firewall-wizards mailing list

  • Next message: Tony Miedaner: "[fw-wiz] ISPs with more secure networks???"