Troubleshoot network issues
Why is my DrawBridge not remotely accessible?
Check the following items:
- Internet connectivity works as expected from your DrawBridge LAN
- Your upstream modem/router is properly forwarding ports/configured to DMZ (where applicable)
- The nessesary ports are open on your DrawBridge firewall.
If all these check out fine, you may be running into a problem with your internet provider snagging your traffic. If you are on Comcast or Xfinity, please below for information on how to disable the Advanced Security that can cause remote reachability problems.
How do I turn off Comcast SecurityEdge / Xfinity Advanced Security?
Background: Why disable?
In general, these security features are good, and certainly well-intended. However, in the case where you have a specific need to accept "unsolicted" traffic, such as remote access to filter your mobile devices, or for maintenance access by Compass, these security features can get in the way, and need to be disabled.
Is this degrading your security profile? Well, it's a tradeoff. Any time you grant additional access, you're theoretically increasing the potential attack surface. In general, however, if your firewall is configured correctly, there is no need to worry.
Business accounts: Comcast SecurityEdge
- Sign-in to your account: https://business.comcast.com/account/
SecurityEdgeand disable it.
Note that some users on internet forums indicate that you need to contact customer service to have it truly disabled.
Residential accounts: Xfinity Advanced Security
xFi Advanced Securityto OFF.
Note that you will be prompted to sign-in to your Xfinity account to do this if you aren't already signed-in.
Why is my DrawBridge maxing-out my upstream network equipment session limits?
Check the following items:
- Sign-in to the Console and take a look for rapidly-repeating, duplicate Block lines from a single device in the Realtime Log Viewer
- Check to see if you have any
blanketblockpolicies applied in your Company Dashboard
- Turn off the problem device or allow the traffic (if it is OK to do so) that is constantly retrying
The quick explanation: Frequently these situations are caused by a device on the network being blocked by the Drawbridge. Rather than failing gracefully and timing out, the device retries. This can create hundreds or thousands of TCP sessions in minutes. The solution is to allow the traffic through that is being blocked, and the extra sessions will expire then on their own.
The longer explanation: generally TCP session max events are due to poor software programming on a client device: when a request doesn't go as expected, rather than properly closing the session and starting a new one, the old session is left open, and a new one is started. What makes it escalate is when the programmers forget to put some type of limit or timeout on the number of retries. So the result is an extreme number of open TCP connections in a matter of seconds that only stops when it hits a limit somewhere, such as software limits or hardware resources. Windows + blanketblock polices are the most common culprits for these situations.
The real solution would be for the programmers to handle sessions properly as described above, but unless you want to raise a support ticket with them, basically the only thing that can be done is to watch the logs on the DrawBridge and allow the traffic that's getting blocked (and subsequently hammered by retries).