No announcement yet.

Watchguard failover wan link -can ping etc but not browse

  • Filter
  • Time
  • Show
Clear All
new posts

  • Watchguard failover wan link -can ping etc but not browse

    I have a strange problem where I'm using a FTTC connection as a failover for my WatchGuard WAN link. I've setup multi wan with failover and pulled the plug on the primary link. The WatchGuard fails over as should and doing a tracert it routes through the second wan link but I just cant browse. The logs on the router are showing red "all gateways in policy routing table are down drop this packet" I setup an explicit policy to allow my IP to any external to test and still no joy.

    Any ideas whats causing this?


  • #2
    If ping to an ip works but names don't, check your dns settings. Is a change needed due to the wan change?
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **


    • #3
      I would hazard a guess, agreeing fully with RicklesP, that your forwarders in DNS are not responding as your trying to connect from a network outside the forwarders remit.


      • #4
        Thanks guys the DNS on the watchguard is pointing to our internal DNS ( with forwarders configured - the forwarders IP is and which is why its confusing.

        I Googled the log failure message which seems to point to a failed config in the failover but there isn't much to configure "all gateways in policy routing table are down drop this packet".

        I plan to plug a laptop into the FTTC connection tomorrow to test I can get out using the same interface config (user pass IP etc)


        • #5
          Change the forwarders you use away from those. Get your local ISP DNS Servers as they will more than likely be quicker than Googles public DNS servers. I typically only ever use these for testing that pinging is working as they are always on.


          • #6
            The problem with changing them to the ISP DNS servers is for the reasons above - if you failover to another ISP then you need to use their DNS servers and vice versa


            • #7
              Found the issue there were specific routing rules within a policy which specified to use WAN 1 rather than follow the failover policy. Yet to test but I'm certain its that.