Watchguard UTM 22 closes all connections after support ends.

azjag

As the title states our Watchguard xtm22 went off support 5 days ago. Two days ago all traffic through the box ceased. There were no changes to the device in the last 90 days. Calls to support end with "you must purchase for us to fix" response. Which is expected, but not if their product is doing this to every time support ends. That and the lady on the phone pissed off our CFO to the point she will not pay. Has anybody seen this before or a possible fix? Thanks.

it_consultant

Buy a license. They used to not do that and, of course, no one ever renewed their live security service. You are supposed to get a bit of a grace period.

LiveSecurity Reinstatement
WatchGuard requires continuous coverage of LiveSecurity Service support agreements. The LiveSecurity subscription should be renewed before it expires to avoid any lapse in service. If the LiveSecurity Service has expired for more than 30 days, it is considered to be "out of support compliance." There are two ways to renew LiveSecurity for such appliances:
Purchase a LiveSecurity Reinstatement license and a 1-Year LiveSecurity Service Renewal.
Purchase a multi-year LiveSecurity Service Renewal, or any Security Software Suite to waive the need for a LiveSecurity Reinstatement.
LiveSecurity coverage resumes the same day that the new LiveSecurity Service renewal is activated.

azjag

Well the service expired on 1/10/14. They called on 1/15/14 to ask if we were going to renew the support. We said no. On 1/16/14 our watchguard device went down. A reboot fixed it for a day. Now we have a red brick sitting in the closet. In 7 days they went from highly recommend to avoid at all costs.

it_consultant

You can't really fault them for that though - hardware fails all the time (even from the big brands) and if you don't renew the support you will get the big digital middle finger from them too. If you aren't willing to pay for support then you ought to go to PFSENSE or something where you can pay for case by case support and you are solely responsible for the hardware. It is hard to feel too much sympathy, you elected to not renew support knowing that it covered hardware and TAC access. Now it is broken and you want hardware and TAC support. Karma hit you quickly and now you are annoyed.

I used to run WG's for cheap clients all the time without live security and more often than not it was fine, in those rare cases you need support you will be happy that you have it.

deth1k

it_consultant wrote: »

You can't really fault them for that though - hardware fails all the time (even from the big brands) and if you don't renew the support you will get the big digital middle finger from them too. If you aren't willing to pay for support then you ought to go to PFSENSE or something where you can pay for case by case support and you are solely responsible for the hardware. It is hard to feel too much sympathy, you elected to not renew support knowing that it covered hardware and TAC access. Now it is broken and you want hardware and TAC support. Karma hit you quickly and now you are annoyed.

I used to run WG's for cheap clients all the time without live security and more often than not it was fine, in those rare cases you need support you will be happy that you have it.

He didn't say it went broke, it stopped passing traffic after license expired :P

it_consultant

OP followed up and said that it was going funny and they had to reboot it, then it went dead, we are not sure if the problem is that the license expires and it locks you out or if there is an actual problem with the device. I suspect the latter since I have seen WGs brick before, if you read closely OP notes that tech support wont even look at it to evaluate unless they renew - not that it absolutely did stop passing traffic BECAUSE the license expired. I have run WGs without live security and I have never actually seen an expired license prevent traffic from flowing.

Either way, OP was warned and elected to do his/her own thing. Now he/she wants to blame WG for something that was clearly spelled out in print.

This is one reason, while I am not a full time consultant anymore, when I do side jobs I will either have the client sign a waiver of responsibility or I will flat stop working with them (depending on the client) if they don't renew their support contracts. All of the sudden the money they saved is costing them time and everyone is pissed off when it was their decision that caused the problem in the first place. Support contracts are the price of doing business, a long time ago I stopped caring that peoples' jaws dropped (have you ever seen a support renewal for a medium sized cisco network?) when they see the cost of support. Then something goes wrong and it is all the fault of Dell, Cisco, HP, take your pick, instead of the decision maker that decided that "Hey, everything is going fine, we don't really need support". It is like insurance for your car, you probably don't need full coverage, but you will be happy when you need it that you have it.

*Tirade over*

azjag

it_consultant wrote: »

OP followed up and said that it was going funny and they had to reboot it, then it went dead, we are not sure if the problem is that the license expires and it locks you out or if there is an actual problem with the device.

That is not what I said. I referred to the device as a red brick. It is actually painted red. The device does work, but it takes a daily reboot or a reconfig to make it work. It will work for a day then require these steps to be followed again.

it_consultant wrote: »

Either way, OP was warned and elected to do his/her own thing. Now he/she wants to blame WG for something that was clearly spelled out in print.

Let me clarify something. When asked if we wanted to renew the subscription we opted not to. Two days later the device stops passing traffic. A call to support says they can fix the problem if we pay for support. The fact that WG can connect to my device over the internet via Serial Number and tell me it is working fine worries me. This lead me to believe it is a left over setting from the subscription services that we were using but opted not to renew either. So I have a setting that is remnant from the previous subscription service that I can't change/turn off. I'm hoping a full blown factory reset will fix the problem but I will not know until Sunday. I wanted to see if anybody had seen this before and could provide some insight.

it_consultant wrote: »

This is one reason, while I am not a full time consultant anymore, when I do side jobs I will either have the client sign a waiver of responsibility or I will flat stop working with them (depending on the client) if they don't renew their support contracts. All of the sudden the money they saved is costing them time and everyone is pissed off when it was their decision that caused the problem in the first place. Support contracts are the price of doing business, a long time ago I stopped caring that peoples' jaws dropped (have you ever seen a support renewal for a medium sized cisco network?) when they see the cost of support. Then something goes wrong and it is all the fault of Dell, Cisco, HP, take your pick, instead of the decision maker that decided that "Hey, everything is going fine, we don't really need support". It is like insurance for your car, you probably don't need full coverage, but you will be happy when you need it that you have it.

*Tirade over*

Sorry that full time consulting didn't work out for you. I find part time consulting/moonlighting is a valuable option to expand my knowledge, earn a little cash, and help out the smaller businesses that can't afford a full time IT person.

it_consultant

You still don't know if the problem is that it is faulty and needs to be replaced or that it is faulty BECAUSE you didn't renew your license. Either way, if you want support you have to pay. I do know that if you don't renew your license for say, web filtering, and you don't select the option to "fail open" it will "fail closed" when the license is up; meaning traffic stops flowing. In that scenario, however, no amount of rebooting the thing would help so I don't think that is the problem.

This is something that WG could help with...if you paid for support. Which you didn't, and now you are angry that they won't support you. Kind of like not buying an extended warranty on a car and then wanting them to honor the warranty after it has expired.

I don't think that it is solid business practice not to offer pay by case, but again, you were warned about this scenario. Is it WG's fault that you didn't renew?

azjag

it_consultant wrote: »

You still don't know if the problem is that it is faulty and needs to be replaced or that it is faulty BECAUSE you didn't renew your license. Either way, if you want support you have to pay. I do know that if you don't renew your license for say, web filtering, and you don't select the option to "fail open" it will "fail closed" when the license is up; meaning traffic stops flowing. In that scenario, however, no amount of rebooting the thing would help so I don't think that is the problem.

I'll let you know on Sunday/Monday when I do this.

it_consultant wrote: »

This is something that WG could help with...if you paid for support. Which you didn't, and now you are angry that they won't support you. Kind of like not buying an extended warranty on a car and then wanting them to honor the warranty after it has expired.

I'm more angry being held hostage. I didn't expect my network to go down because I didn't pay to renew subscription services. If this was a yearly service I was paying for and knew this would be the result it would be expected.

it_consultant wrote: »

I don't think that it is solid business practice not to offer pay by case, but again, you were warned about this scenario. Is it WG's fault that you didn't renew?

I am aware of the implications of not buying support. I didn't anticipate my network going down because one of the subscription services might block traffic when the subscription lapsed.

it_consultant

I have never seen a device brick as a result of not being licensed, who knows it could be a new trick. I have seen those devices fail on occasion under similar circumstances, a "high reset count". I have also certainly seen other devices and brands fail after their support expiry. It is a cruddy lesson to learn but those experiences taught me to not let people get away with running business critical stuff on equipment that doesn't have support. If this was just a lab firewall that would be one thing, but this the main connection to your internet. Not something I would recommend running without a valid support contract.

EV42TMAN

Without a live security contract you don't have any support. As soon as you activate the live security contract you will have support. Unfortunately OP you just shot your self in the foot per say. When you do a Factory Reset it wipes the device including the feature key and it goes back to un activated device. The only way to activate the device is with a current live security contract/feature key. As a part of the first boot set up you log in to your watchguard guard account and downloads the feature key. Until you have a current feature key the firewall will only let one connection out of through the firewall(the first device that tries to go to the internet). So and this point you can buy a new live security contract which for that device is about $100 for 1 year or you upgrade to something newer like a Watchguard 25 or Cisco ASA 5505.

As a 30 day option you can call their customer support and tell them you've purchased a live security contract but it will take a few days for it to get in. Also tell them your business is down and they'll give you a 30 day trial license for the device.

azjag

Hello all,
Wanted to let you know this has been fixed. I needed to remove the WebBlocker profile from the HTTP/HTTPS and TCP/UDP proxies.

Thanks for your assistance.