Stig, i replied with this answer to the wrong post this morning. here's the answer to the fw monitor syntaxt question.
fw monitor -e "(src=server or dst=server) and (src=laptop or dst=laptop) and (dport=22 or sport=22), accept;" -o filename.cap (the above expression is one line that may have had text wrapped by your email client) the reason for adding the OR statements is that it shows you the return packets as well. Good luck! -fwguru On 4/18/05, Stig Bull <[EMAIL PROTECTED]> wrote: > We're experiencing som extremely weird networking problems at our > office, now I know this (probably) isn't a Checkpoint related problem, > but I'm trying this mailing list in order to get an idea of what to do > next, or which forums/web sites/mailing lists I really should direct my > request at, since I haven't found any dedicated, *good* networking > forums on Google. > > Here is the problem: > Last Friday morning, I was unable to SSH into the Sun servers at our > office, the SSH client just hung at connecting. It worked as normal > Thursday evening when we left so I thought this was a Windows problem, > but after rebooting the laptop as well as another employee complained > about the same problem, it turned out there's something weird going on > with our network. > > What happens is this: > > 1: (Everything is on the same subnet, behind a Nokia IP-330 NG AI > firewall. The switch is layer 2 so it doesn't route anything. No > configuration has been changed on the switch, the firewall, servers or > office PC's) > > 2: We can SSH into 1 of 4 Sun servers > > 3: ALL servers are reachable by FTP, ping and HTTP (not tried anything > else, but enabled Telnet once and it produced the exact same result, > i.e. hung), but not SSH > > 4: What turns up in var/adm/messages when we try SSH is this: > "Apr 18 10:04:29 jupiter sshd[15028]: [ID 800047 auth.crit] fatal: > Timeout before authentication for x.x.x.x" - to me indicating that the > packet and response from the servers *seems* to be routed somewhere else > > 5: If we use SSH from our 3 remote production sites which are on the > same VPN or even using a > remote PC with SecureClient, we can reach these servers with no problems > whatsoever > > 6: We can SSH from one server to the other between these 3, we can even > SSH into the fourth server from these 3, (the latter is also the only > one reachable from our office PC's with SSH), but SSH from this fourth > server hangs to the other 3 > > 7: Using SmartTracker I can't see any log captured SSH packets, so > everything seems to be going on locally on the switch/backbone, not > going via the gateway at all > > 8: I've rebooted the switch twice, I even rebooted the servers *and* the > firewall and the problem still persists > > 9: I unplugged every cable from the switch one by one, while another > employee tried SSH into a server. SSH failed every single time > > 10: I replaced the switch this morning with an identical model and > configuration, but the problem still persists > > 11: On 2 of 3 servers I can sometimes get lucky and a SSH session is > successfully established -- after a looooong time. None of the other > employees gets an established session > > 12: SSH to the firewall and a Linux box on the same subnet works > perfectly > > 13: Just poking around I tried route -f on one of the servers. I was > able to SSH into it every single time, but still none of the other > employees were. Of course the gateway address disappeared with the route > flushed. After a reboot the server went back to "normal" and I was > unable to SSH into it again > > 14: This happens with SecureSSH (4.1/5.0), Putty and OpenSSH (various > versions) installed on the servers > > So that's it, I've tried about everything I can think of, but use a > packet sniffer, even though I'm not sure if it will produce any results. > I do suspect this to be a routing issue even though I can't see any > 'mal-routed' packets on the firewall. > > Has anyone an idea of what I can try next, or perhaps provide me with a > link to some networking forum where I can ask about this? Or, which > syntax is correct for fw monitor -e - I want to use source/destination > server/my laptop for SSH in order to see if any packets are routed > externally for some reason. Would 'fw monitor -e 'src=server;' AND > 'dst=laptop' be correct? > > -- > > Stig Bull > Networking and Systems Administrator > Hugin ASA > http://www.hugincorporate.com > Phone: +47 22 80 79 89 Mobile: +47 91 60 88 74 Fax: +47 22 80 79 79 > - Your reputation connects through Hugin > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
