Hi, What is this command supposed to do? It's better know, before trying...;-) We have quite a busy environment (peak concurrent connections over 20000)...
-lari- -----Original Message----- From: Mailing list for discussion of Firewall-1 on behalf of Gustavo Rodrigues Ramos Sent: Fri 2/8/2008 11:29 PM To: [email protected] Subject: Re: [FW-1] firewall dropping return packets Lari, Have you try something like this? [EMAIL PROTECTED] fw ctl zdebug drop > drops.txt You should consider your capacity and performance before playing with the command above. Regards, Gustavo. On 2/8/08, Previtera, Sal <[EMAIL PROTECTED]> wrote: > It looks like a Cisco VPN client issue.... not handling NAT Transversal > correctly). > Change Cisco Client to use TCP connection instead of UDP...it may help > > I am assuming that, > the Cisco VPN client is in your Internal networks and try to connect to > a Cisco VPN concentrator outside of your networks.....correct? > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Lari > Luoma > Sent: Friday, February 08, 2008 1:02 PM > To: [email protected] > Subject: [FW-1] firewall dropping return packets > > Dear colleagues! > > I'm in the middle of quite a weird troubleshooting session and would > really appreciate any help to get this resolved. > > We are running IPSO 4.1b033 and CP NGX R60 HFA04 in a VRRP cluster. > > The scenario is as follows: > > 1. User authenticates successfully through client-authentication. > 2. User opens a VPN-connection (Cisco VPN client) to the internal > network. > > When looking connections from the SmartView Tracker everything seems to > be green (accepted), but the connections are not working. Here comes the > weird thing... > The firewall is dropping return packets as they were new connections. > The user information has also disappeared from the dropped return > packets as if the whole session has been terminated somehow. All the > traffic is supposed to be hidden behind the firewall's external ip > (192.100.x.x). > > What an earth is going on here... Let me confuse you a little bit more > by saying that the connections work sometimes (very slowly indeed), but > for the most of the time they don't. > > Here's some tracking info... > > Number: 6089199 > Date: 7Feb2008 > Time: 11:41:35 > Product: VPN-1 Pro/Express > Interface: eth-s1p3c1 > Origin: fw1 (192.168.77.116) > Type: Log > Action: Accept > Protocol: udp > Service: UDP_4500 (4500) > Source: 10.183.146.25 > Destination: 15.195.xx.xx > Rule: 36 > NAT rule number: 27 > NAT additional rule number: 0 > Source Port: UDP_4500 (4500) > User: [I removed the user > name] > XlateSrc: > fw1_cluster(192.100.xx.xx) > XlateSPort: 50357 > Information: rule_uid: > {572D8CDE-627C-4D64-A495-7E0470E4AC49} > service_id: UDP_4500 > normalized_rule_num: > 36-es-rules > Number: 6097242 > Date: 7Feb2008 > Time: 11:41:57 > Product: VPN-1 Pro/Express > Interface: eth-s2p1c0 > Origin: fw1 (192.168.xx.xx) > Type: Log > Action: Drop > Protocol: udp > Service: 49534 > Source: 15.195.xx.xx > Destination: fw1_cluster (192.100.xx.xx) > Rule: 178 > Source Port: UDP_4500 (4500) > Information: rule_uid: {D67DCC20-6EA8-4EAB-BC8B-1E20C0E38DFF} > normalized_rule_num: 178-es-rules > > > Here is fw-monitor output about the traffic > > Feb 8 08:29:02 fw1 [LOG_CRIT] kernel: FW-1: monitor filter loaded > monitor: monitoring (control-C to stop) > eth-s1p3c1:i[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 > UDP: 500 -> 500 > eth-s1p3c1:I[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 > UDP: 500 -> 500 > eth-s2p1c0:o[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 > UDP: 500 -> 500 > eth-s2p1c0:O[340]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=340 id=32320 > UDP: 11759 -> 500 > eth-s2p1c0:i[176]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=176 id=26684 > UDP: 500 -> 11759 > eth-s2p1c0:I[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 > UDP: 500 -> 500 > eth-s1p3c1:o[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 > UDP: 500 -> 500 > eth-s1p3c1:O[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 > UDP: 500 -> 500 > eth-s1p3c1:i[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 > id=32322 off=0 > UDP: 4500 -> 4500 > eth-s1p3c1:I[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 > id=32322 off=0 > UDP: 4500 -> 4500 > eth-s2p1c0:o[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 > id=32322 off=0 > UDP: 4500 -> 4500 > eth-s2p1c0:O[3620]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=1500 > id=32322 off=0 > UDP: 11764 -> 4500 > eth-s2p1c0:i[3628]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=1500 > id=27473 off=0 > UDP: 4500 -> 11764 > eth-s2p1c0:I[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 > id=27473 off=0 > UDP: 4500 -> 4500 > eth-s1p3c1:o[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 > id=27473 off=0 > UDP: 4500 -> 4500 > eth-s1p3c1:O[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 > id=27473 off=0 > UDP: 4500 -> 4500 > eth-s1p3c1:i[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 > UDP: 4500 -> 4500 > eth-s1p3c1:I[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 > UDP: 4500 -> 4500 > eth-s2p1c0:o[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 > UDP: 4500 -> 4500 > eth-s2p1c0:O[432]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=432 id=35018 > UDP: 12340 -> 4500 > eth-s2p1c0:i[128]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=128 id=566 > UDP: 4500 -> 11764 > ^C monitor: caught sig 2 > monitor: unloading > > Your help is appreciated, thanks a lot in advance! > > > -lari- > > > Lari Luoma > Senior Network Security Specialist > Mainframe Consulting Oy > [EMAIL PROTECTED] > +358-45-6576820 > www.mainframe.fi ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
