hi, check for asymetric routing - maybe on different cluster nodes or fw interfaces.
br reinhard -- Reinhard Stich, Internet Security AG Mobile email powered by Nokia Intellisync *** please reply-to-all if you answer to this mail *** -----Ursprüngliche Nachricht----- Von: Gustavo Rodrigues Ramos Gesendet: 09.02.2008 05:26:39 An: Mailing list for discussion of Firewall-1 Betreff: Re: [FW-1] firewall dropping return packets Lari, It will show all packets that are being dropped by check point kernel. Some time ago I had a problem very similar to yours and I only figured out what's happening after looking into this debug log (this procedure was instructed by check point customer support). I also would suggest you to check the official documentation regarding this command. Gustavo. On 2/8/08, Lari Luoma <[EMAIL PROTECTED]> wrote: > Hi, > > What is this command supposed to do? It's better know, before trying...;-) We > have quite a busy environment (peak concurrent connections over 20000)... > > -lari- > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 on behalf of Gustavo > Rodrigues Ramos > Sent: Fri 2/8/2008 11:29 PM > To: [email protected] > Subject: Re: [FW-1] firewall dropping return packets > > Lari, > > Have you try something like this? > > [EMAIL PROTECTED] fw ctl zdebug drop > drops.txt > > You should consider your capacity and performance before playing with > the command above. > > Regards, > Gustavo. > > > > On 2/8/08, Previtera, Sal <[EMAIL PROTECTED]> wrote: > > It looks like a Cisco VPN client issue.... not handling NAT Transversal > > correctly). > > Change Cisco Client to use TCP connection instead of UDP...it may help > > > > I am assuming that, > > the Cisco VPN client is in your Internal networks and try to connect to > > a Cisco VPN concentrator outside of your networks.....correct? > > > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On Behalf Of Lari > > Luoma > > Sent: Friday, February 08, 2008 1:02 PM > > To: [email protected] > > Subject: [FW-1] firewall dropping return packets > > > > Dear colleagues! > > > > I'm in the middle of quite a weird troubleshooting session and would > > really appreciate any help to get this resolved. > > > > We are running IPSO 4.1b033 and CP NGX R60 HFA04 in a VRRP cluster. > > > > The scenario is as follows: > > > > 1. User authenticates successfully through client-authentication. > > 2. User opens a VPN-connection (Cisco VPN client) to the internal > > network. > > > > When looking connections from the SmartView Tracker everything seems to > > be green (accepted), but the connections are not working. Here comes the > > weird thing... > > The firewall is dropping return packets as they were new connections. > > The user information has also disappeared from the dropped return > > packets as if the whole session has been terminated somehow. All the > > traffic is supposed to be hidden behind the firewall's external ip > > (192.100.x.x). > > > > What an earth is going on here... Let me confuse you a little bit more > > by saying that the connections work sometimes (very slowly indeed), but > > for the most of the time they don't. > > > > Here's some tracking info... > > > > Number: 6089199 > > Date: 7Feb2008 > > Time: 11:41:35 > > Product: VPN-1 Pro/Express > > Interface: eth-s1p3c1 > > Origin: fw1 (192.168.77.116) > > Type: Log > > Action: Accept > > Protocol: udp > > Service: UDP_4500 (4500) > > Source: 10.183.146.25 > > Destination: 15.195.xx.xx > > Rule: 36 > > NAT rule number: 27 > > NAT additional rule number: 0 > > Source Port: UDP_4500 (4500) > > User: [I removed the user > > name] > > XlateSrc: > > fw1_cluster(192.100.xx.xx) > > XlateSPort: 50357 > > Information: rule_uid: > > {572D8CDE-627C-4D64-A495-7E0470E4AC49} > > service_id: UDP_4500 > > normalized_rule_num: > > 36-es-rules > > Number: 6097242 > > Date: 7Feb2008 > > Time: 11:41:57 > > Product: VPN-1 Pro/Express > > Interface: eth-s2p1c0 > > Origin: fw1 (192.168.xx.xx) > > Type: Log > > Action: Drop > > Protocol: udp > > Service: 49534 > > Source: 15.195.xx.xx > > Destination: fw1_cluster (192.100.xx.xx) > > Rule: 178 > > Source Port: UDP_4500 (4500) > > Information: rule_uid: {D67DCC20-6EA8-4EAB-BC8B-1E20C0E38DFF} > > normalized_rule_num: 178-es-rules > > > > > > Here is fw-monitor output about the traffic > > > > Feb 8 08:29:02 fw1 [LOG_CRIT] kernel: FW-1: monitor filter loaded > > monitor: monitoring (control-C to stop) > > eth-s1p3c1:i[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 > > UDP: 500 -> 500 > > eth-s1p3c1:I[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 > > UDP: 500 -> 500 > > eth-s2p1c0:o[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 > > UDP: 500 -> 500 > > eth-s2p1c0:O[340]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=340 id=32320 > > UDP: 11759 -> 500 > > eth-s2p1c0:i[176]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=176 id=26684 > > UDP: 500 -> 11759 > > eth-s2p1c0:I[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 > > UDP: 500 -> 500 > > eth-s1p3c1:o[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 > > UDP: 500 -> 500 > > eth-s1p3c1:O[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 > > UDP: 500 -> 500 > > eth-s1p3c1:i[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 > > id=32322 off=0 > > UDP: 4500 -> 4500 > > eth-s1p3c1:I[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 > > id=32322 off=0 > > UDP: 4500 -> 4500 > > eth-s2p1c0:o[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 > > id=32322 off=0 > > UDP: 4500 -> 4500 > > eth-s2p1c0:O[3620]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=1500 > > id=32322 off=0 > > UDP: 11764 -> 4500 > > eth-s2p1c0:i[3628]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=1500 > > id=27473 off=0 > > UDP: 4500 -> 11764 > > eth-s2p1c0:I[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 > > id=27473 off=0 > > UDP: 4500 -> 4500 > > eth-s1p3c1:o[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 > > id=27473 off=0 > > UDP: 4500 -> 4500 > > eth-s1p3c1:O[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 > > id=27473 off=0 > > UDP: 4500 -> 4500 > > eth-s1p3c1:i[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 > > UDP: 4500 -> 4500 > > eth-s1p3c1:I[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 > > UDP: 4500 -> 4500 > > eth-s2p1c0:o[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 > > UDP: 4500 -> 4500 > > eth-s2p1c0:O[432]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=432 id=35018 > > UDP: 12340 -> 4500 > > eth-s2p1c0:i[128]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=128 id=566 > > UDP: 4500 -> 11764 > > ^C monitor: caught sig 2 > > monitor: unloading > > > > Your help is appreciated, thanks a lot in advance! > > > > > > -lari- > > > > > > Lari Luoma > > Senior Network Security Specialist > > Mainframe Consulting Oy > > [EMAIL PROTECTED] > > +358-45-6576820 > > www.mainframe.fi > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
