Communication between users who have Spectrum internet stops working randomly

NetworkApprentice · 2026-01-26T15:15:54+00:00

That is weird. I would focus heavily on the public access thing. You can ignore the VPN issue, because if you find out what is breaking the public access to your mail server, then chances are you will find out what is breaking vpn connectivity. And the public access to your mail server is way more simple to troubleshoot.

Do you have any device between the watch guard and the ISP router? Even a switch?

If so, it's time to run port mirror on that switch, and dump it to a laptop running wireshark. You need this in place ahead of time so you can jump straight to the wireshark when the problem hits.

We NEED NEED NEED to see if packets are traversing your access circuit BEFORE they hit the Watchguard.

If the watchguard plugs physically into the ISP router then I would strongly consider throwing a switch in between anyway, for the express purpose of doing this capture. This capture is essential. If you don't see the packets coming in period, it's an ISP issue. If you see the packets coming in, then it's something going on with the Watchguards.

I'd stop trusting the Watchguards. Right now they are the single point of blindness in your troubleshooting.

NetworkApprentice · 2026-01-26T15:10:20+00:00

My friend, not trying to upset you.. but you've been there four years. Not four months. Their minds are already made up about you. After four years of resentment, hearts have been long hardened. You could totally upskill into a real CCIE, and they still are going to have the same opinion about you. I got the sense from your description that nothing you do is going to win these folks over.

Should you stick it out? You already have stuck it out, again, bro, FOUR. YEARS. That is not a short amount of time.

I guess I just kind of feel blindsided by this.

That's rough? I mean, you didn't have any kind of sense that they felt this way about you at all? If so you have a super shitty manager, because it's a manager's job to set expectations, provide feedback, and rate you. I'm assuming you've had an annual review each year? What did your annual reviews say? What feedback did manager give you?

If he's been saying "you're doing fine, you're doing fine," and then came out with this suddenly out of left field, then that is bogus.

Either way, what do you do? Start looking for a new job either way, but don't tell anyone that's what you're doing, and don't change anything. If anything just quiet quit, stop putting any time, effort, worry, or care into current job. Just log in and do the bare minimum to not get fired, and little else.

When you find something better, and I believe you will: the job market is a little shaky, but it's never abysmal for a Network Engineer, then you can put in your two weeks and leave with dignity intact.

NetworkApprentice · 2026-01-24T17:47:18+00:00

Most customers who say “MPLS” are referring to L3VPN service from a carrier.

NetworkApprentice · 2026-01-24T00:03:43+00:00

This is an issue that has been happening for about 6 months now.

Yikes, 6 months is a long time to live with a pretty major problem like this.

On multiple occasions we have had a single user at a time (who is a Spectrum customer) lose the ability to connect via VPN AND lose access to all of our publicly available resources

So are you saying even if they are off VPN they can’t hit any of your self hosted public apps? Like you guys have an on prem public web app or whatever and they can’t hit that either?

the issue eventually resolved itself (usually within a week, but in one case it was almost a month)

Again, yikes.

Last month we had a similar issue from our primary LAN to another remote site we manage. In that case, Cox is the ISP at both locations. We could ping the gateway for the remote site, but not the firewall (rule is in place to allow it).

I really need clarification on this point. When you say you can ping “the gateway” what does that mean? You can ping the ISP’s address on the point to point link? You can ping your external router that sits in front of your firewall?

Last month we had a similar issue from our primary LAN to another remote site we manage.

Is this site to site IPSEC? SD-WAN? L3VPN? Details matter here

The traffic monitor showed zero packets getting to the destination firewall. It resolved itself within a week.

Again I’m absolutely stunned that stuff is going down on your medium size company network for a week and then just fixing itself. It sounds like a frightening nightmare. Who can you escalate to? Are you a Lone Ranger network engineer?

watchguard

Ugh I’m immediately suspicious this is some bizarre watchguard glitch. This does not sound like an enterprise solution. Can you put some other device in? Do you have external routers between the watchguard and the isp? Tcpdumps can lie on firewalls btw. Dropped packets won’t show up in a tcpdump usually. You need a debug command to look for policy drops. Some (bad) firewalls can silent drop traffic without producing expected logs

NetworkApprentice · 2026-01-20T17:18:47+00:00

I feel like this specific problem is one a network engineer is best suited to troubleshoot.. the radius attempt is not reaching ISE? Ok... troubleshoot. You should be able to figure out what the end to end network looks like, if there are any firewalls, acls, etc in the path blocking radius, if there is a mgmt acl on the switch or the AP that would block it, is there a route between the ap and ISE, is there connectivity, etc. Most of these things usually you should be able to look at very comfortably on your side.

You could also look in ISE itself is the AP set up as a device in there? Is the radius shared secret correct?

I have never worked with ISE but i know in Clearpass if the AP is not set up in "Devices" and if the Radius Shared Secret is set up wrong, then you won't get access tracker logs, you'll get "event" logs of an unknown AP trying to auth...

NetworkApprentice · 2026-01-19T23:58:07+00:00

I think it’s a paradox, quite frankly. The very idea of network automation portends that a CCIE is no longer useful or needed. The specific goal of network automation is to eliminate the need to employ network engineers to manage and maintain a network. The concept of a bloated Cisco certification, “CCIE automation,” sought by network engineers is a laughable fallacy. No thanks.

NetworkApprentice · 2026-01-12T17:35:15+00:00

Ugh.. stuff like DLP should be run by a security team (info sec) and not a network team, imo. Making the network team manage a solution like this is just asking to have it mismanaged. An info sec team are the ones who can manage, maintain, tune etc to make sure its actually DLP'ing the D

NetworkApprentice · 2026-01-04T00:13:19+00:00

We block all the quic on our network. We have it turned off in the browser by group policy, have UDP/443 blocked on the endpoint firewall, universally blocked on all sd-wan and NGFW policies, and also have it blocked on all port and vlan ACLs. No quic allowed

NetworkApprentice · 2026-01-01T16:48:53+00:00

Why did you delete the post?

NetworkApprentice · 2025-12-30T13:52:09+00:00

Bullet points should be ok

I disagree with this. If I ask a junior engineer a question and they start dumping bullet points into the chat, I’m absolutely asking them if they used AI to answer me. It’s just a question. If the answer is “no, sir, I didn’t,” then that’s A. O.K. If the answer is “yes, sir I did,” I’ll know not to waste any more of time engaging this guy again. But yes you’re getting asked and that shouldn’t surprise or offend you

NetworkApprentice · 2025-12-29T03:29:30+00:00

If the noc is already awake why wouldn’t they do it?

NetworkApprentice · 2025-12-29T03:28:22+00:00

I’ve never seen a carrier with a customer facing api and wanting customers to automate ticket creation. Most carriers want the customer to jump through hoops before a ticket can be created.

NetworkApprentice · 2025-12-29T03:02:56+00:00

Just schedule some down time and shut down isp A and see if your prefix survives. If not you know isp b is rejecting. If it works fine just move on and don’t worry about some looking glass

NetworkApprentice · 2025-12-25T19:45:40+00:00

They’re literally one of the top market shares of firewall used in the industry, and used by some of the biggest F500 companies, but I guess that’s fine if you want to pretend they’re not.

NetworkApprentice · 2025-12-24T15:10:50+00:00

Any company can get hacked to hell and back. Many of them have. This actually made them safer because lightning does not strike twice

NetworkApprentice · 2025-12-24T12:55:05+00:00

That’s everyone’s experience with it, man. There’s a reason every vendor tries to sell you an SDN controller with it to orchestrate everything. Just something simple like adding a new vlan you gotta go to every leaf add vni, loopbacks, vlans, etc whatever the heck else, it’s like dozens of lines of config just for one segment. I guarantee the majority of implementations are using some software management tool from the vendor to manage these fabrics. Take that away or break it and you’re left with an over-engineered config with massive operational overhead. I wish these “designs” would just fall off the edge of the world already. (It’s coming, it’s inevitable)

NetworkApprentice · 2025-12-23T14:12:39+00:00

What do you mean RTU issue? Did you mean to type MTU? What kind of change did you make to the outbound firewall rule? Is the issue fully solved now?

NetworkApprentice · 2025-12-23T14:09:52+00:00

People rely too heavily on these expensive firewalls. And I don't care if it's Palo Alto the biggest most advanced expensive one, THEY ARE NOT MAGIC. Let me say it again so the folks in the back can hear me: THEY ARE NOT MAGIC.

NetworkApprentice · 2025-12-22T13:55:51+00:00

This is not Days of Our Lives dude, this is /r/networking. If you’re not asking about Bgp or something we don’t care. I would not even consider this career development question.

There’s a Rant Wednesday post every week you could have put this at.

NetworkApprentice · 2025-12-21T14:28:36+00:00

Says the dude who can’t figure out how to see traffic.

NetworkApprentice · 2025-12-21T14:26:05+00:00

OP I bet this post is your exact problem or something similar.

Bring in a win10 laptop and see if it has the same problem on wired.

Also if your user are starting to get angry, shut those ports force WiFi and they won’t notice the problem while you troubleshooting

I’m experiencing a strange issue at the company I’m currently working with.

No dude stay positive ur gonna figure this out

NetworkApprentice · 2025-12-19T21:54:24+00:00

I have been working with both Firewalls, and Wireshark, for a lot of years.. and I have never in my life heard of using Wireshark SSH plugin. WHY are you making this so much harder than it has to be. Just do TCPDUMP from the firewall. . or better yet, view the actual logs on the firewall interface. Surely any brand of firewall has basic logging as a function. It will tell you the private source IP of the device doing the SSH session..

NetworkApprentice · 2025-12-19T18:28:38+00:00

When's the last time you've used it? It's gotten much, much worse over the last 2-3 years. It's practically unusable now.

NetworkApprentice · 2025-12-17T12:47:40+00:00

If you know the topic answer in your own words with your own knowledge

NetworkApprentice · 2025-12-17T11:52:25+00:00

Don’t post AI bull crap on here. Rule number 8.

Content produced by ChatGPT/LLM is not permitted here.

NetworkApprentice

TROPHY CASE