My client is a tenant in a building. The building has telco fiber (multiple ip's) that come into one end of the building. My clients network gear is on the far side of the building. The building's network pulls a fixed ip address from the telco fiber, then they vlan my clients ip through the buildings fiber network to our cabinet...and it ends up at a gigabit port on a Dell Powerconnect 2724. This feeds my clients firewall and then into their own switch to feed their offices. It worked fine for the last couple years until last week when they upgraded from a 100baseT capable firewall to a new NetGate pf sense 1000baseT firewall to take advantage of higher speeds that were offered by the telco.
The firewall kept dropping the WAN connection / gateway every 20-30 minutes or so. It looks like it's dropping the connection; the gateway experiences 20-30% packet loss and the WAN goes offline, and it never comes back until a reboot. My initial firewall settings had the WAN port set for autoselect. The hint that leads me to look into flow control, master, etc. is that when the firewall would lose connection to the WAN, the GUI would show "1000baseT full-duplex,master." When it was working fine after a reboot, it would show "1000baseT full-duplex."
One might think the easiest fix would be to lock it at "1000baseT full-duplex" but that didn't seem to get me back on-line after a reboot. I could only manage to get it back online with the auto select...which eventually leads to it going offline.
Do you think it has anything to do with flow-control or another setting on the Dell Powerconnect 2724 that originates our feed? I've read some suggest turning off flow control at each stage of the process. I don't have access to the gear prior to my clients equipment. We can pay to have the buildings network crew come out and make some changes. If so...what changes to try first?
If it's helpful, I've tried the Netgate firewall at another 1000baseT location and it passed traffic for hours. Netgate suggested I could put a simple unmanaged switch in front of the firewall to see if that would eliminate any negotiation issues and keep the connection up. I can test that next week.
Any other ideas or guidance?
No comments:
Post a Comment