Thermostats going in and out

bmeeks

Will the vendor share this cell phone app with you for troubleshooting? It would be interesting to actually watch what is happening within the app's reporting while at the same time capturing traffic on the VLAN and WAN interfaces.

Some kind of WiFi interference is certainly a possibility as @Gertjan mentioned. Although you would not expect it to cover an entire typical resort as that's a large area, maybe some employee brought in their own WiFi AP and stuck it somewhere? One thing to check, if your AP infrastructure provides that info, is what WiFi sources are showing up and their signal levels. For example, in Ubiquiti APs the controller software can show you other non-affiliated transmitters whose signal is being received by the APs and at what level. But on the other hand, if interference was the issue you would really expect that to impact all WiFi on site (thus web browsing and everything else would suck).

Lastly, based on that Twitter link @NogBadTheBad provided, it would make you suspect Honeywell might have an issue on their end ???

I think many of these old-school companies trying to step up in the Internet world have difficulty. I have a pair of Lennox Wi-Fi thermostats that call home to a Lennox server. You can then connect to the Lennox server site via your phone to see and control your system. That process works maybe 65% of the time at best. The remote end server disappears fairly regularly for hours or a few days, then it's back. I suspect they just don't put enough capacity in their backend to handle the traffic from thousands and thousands of thermostats scattered all over everywhere.

Gertjan

Just one word about this, as I want you to think 'out of the box' (I'm not saying your setup is wrong, as I can't tell ) :

@stewart said in Thermostats going in and out:

This is an isolated resort covering many acres. No other interference that would account for this.

If you receive 3G/4G/5G on your premisses, everybody who has a cell phone can 'share' the data connection - and his phone becomes an Wifi AP.
All phones are not equal. Some just open the radio and start blasting away.
Not very good for a connection of the (your !) local AP and AC unit close by.

@stewart said in Thermostats going in and out:

I can look into this.

System > Routing > Gateways :

On the PORTAL interface I have AP's like 192.168.2.2 192.168.2.3 192.168.2.4 etc.

Check :

so that dpinger doesn't take action when it start loosing the ping.
It's the monitoring that you want. See : Status > Monitoring, select Quality (left) and the name you gave to it (right).

slimypizza

I have 2 Honeywell thermostats in the house that had been performing flawlessly for a few years. Recently however there began some connectivity issues, red warning screens on the app, changes to settings not being acted upon, etc. I thought it was on Honeywell’s end and still believe that. Maybe they’ve been going through some unannounced upgrades. I hope that’s all it is. Very disruptive though.

Stewart

@bmeeks

We use IgniteNet APs so we can see all of the devices connected, how long they are connected for and gaps in connection time. This is what I can see from one of the units:

As you can see, always connected with regular traffic.

Stewart

Found something, maybe
Firewall logs show some oddities:

Not sure what to make of this.

The rule that triggered this action is:

@5(1000000103) block drop in log inet all label "Default deny rule IPv4"

bmeeks

The obfuscation of the IP addresses makes it a little hard to follow. So I assume the 199.62.xx.xx address is your WAN IP and the 97.xxx is the Honeywell server end ??

If correct, then are the IP addresses in each block/pass sequence identical? That is weird. It's like the state is not working or something maybe.

Do you have any sort of multi-WAN configuration? I'm assuming "no" since you didn't mention it.

Edit: wait a minute... looking at those logs again is really confusing. Why is 443 the Source port? I would think that is the destination port, and there would be a random source port.

pete35

@stewart

just a guess - you may try to set Firewall Optimization Options to conservativ, if not already set:

Stewart

@bmeeks said in Thermostats going in and out:

The obfuscation of the IP addresses makes it a little hard to follow. So I assume the 199.62.xx.xx address is your WAN IP and the 97.xxx is the Honeywell server end ??

97.x.x.x is the WAN port. 199.62.x.x is the Honeywell server.

If correct, then are the IP addresses in each block/pass sequence identical? That is weird. It's like the state is not working or something maybe.

Weird indeed! Notice that it's like it the WAN receives 2 packets each time, the first is blocked while the second is allowed.

Do you have any sort of multi-WAN configuration? I'm assuming "no" since you didn't mention it.

Nope.

Edit: wait a minute... looking at those logs again is really confusing. Why is 443 the Source port? I would think that is the destination port, and there would be a random source port.

The thermostats connect out from the 97.x.x.x IP using a random port to 199.x.x.x on port 443. This is the reply back so it would come from 443 back to the random port.

Stewart

@pete35 said in Thermostats going in and out:

@stewart

just a guess - you may try to set Firewall Optimization Options to conservativ, if not already set:

I've set it, so we'll see how it goes.

bmeeks

@stewart said in Thermostats going in and out:

@bmeeks said in Thermostats going in and out:

The obfuscation of the IP addresses makes it a little hard to follow. So I assume the 199.62.xx.xx address is your WAN IP and the 97.xxx is the Honeywell server end ??

97.x.x.x is the WAN port. 199.62.x.x is the Honeywell server.

If correct, then are the IP addresses in each block/pass sequence identical? That is weird. It's like the state is not working or something maybe.

Weird indeed! Notice that it's like it the WAN receives 2 packets each time, the first is blocked while the second is allowed.

Do you have any sort of multi-WAN configuration? I'm assuming "no" since you didn't mention it.

Nope.

Edit: wait a minute... looking at those logs again is really confusing. Why is 443 the Source port? I would think that is the destination port, and there would be a random source port.

The thermostats connect out from the 97.x.x.x IP using a random port to 199.x.x.x on port 443. This is the reply back so it would come from 443 back to the random port.

Ah, okay. So I had the IP addresses backwards.

The double replies are indeed strange. Perhaps @pete35's solution will work. That setting will stretch out the state table entry expiration times. Still strange, though, that two replies seem to come back at essentially the same time (or certainly within one second of each other as the logger shows the times as the same due to its one-second resolution).

Stewart

@bmeeks I had to undo it. Just got a call that for about the last hour or so calls have been going straight to voicemail intermittently. Looks like it broke the VOIP at the location.