Sat, What OS are you running on, anyway? How busy is this fw when the problem occurs, how many connections? How busy is NAT table (if you're doing NAT)? fw tab -t fwx_alloc -s
Which firewall is the fw monitor not seen on? Internal or External? Are they both centrally managed? Have you tried deleting and recreating the service object for that port. Like Rajeev suggested, try running fw monitor without expression, but you can also output filtered results to the screen without an expression by running 'fw monitor | grep <ip>'. What do you see? I guess pings and traceroutes make it ok, and are seen by fw monitor from that source? Is there any natting going on? If so, on which firewall? I ask because that destination port is in the beginning range of CP's hide NAT port range (begins at source port 10000). I don't know, there may be something to investigate there, especially after reading Crist's post. TCP dump is completely fw kernel independent, whereas fw monitor positions itself in the fw inspection chain (in fact, becomes a module in the chain). Try putting fw monitor up the chain. With fw monitor running, start another terminal (like CTRL+F2) and type 'fw ctl chain' to see where fw monitor is positioned (typically position 4 or 5 in the chain). Then you can run 'fw monitor -pi 0 | grep <ip>' or 'fw monitor -pi 1 | grep <ip>' to position it at or near the top. Do you see any output? If you do, you can also run 'fw monitor -p all | grep <ip>'. The output will show every kernel chain name as it passes thru it. That may be able to isolate where the packet is being lost in the chain. Best, Neil Delacruz On Wed, Feb 20, 2008 at 7:29 PM, Crist Clark <[EMAIL PROTECTED]> wrote: > >>> On 2/18/2008 at 2:35 PM, Satyam Mathura <[EMAIL PROTECTED]> wrote: > > Hey guys, > > i've got an interesting problem. We have a couple R65 firewalls in a > back to > > back configuration. Eg: > > Internal_Net ->FW1->DMZ->FW2->External_Net > > > > I have a device on my internal network that needs to connect to > servers on > > the Internet and send data via TCP:10061. This worked for a few days > and was > > logged correctly by the firewall but then stopped mysteriously. I > can > > confirm that no network / firewall changes were made during this > time. > > SmartView Tracker will show no entries for this traffic and the > destination > > hosts can confirm that no data is being sent from us. > > An fw monitor -e "accept src=<network device>;" will also show no > results > > for this traffic. However, a tcpdump on the entry and exit interfaces > of > > both firewalls shows traffic from the source device flowing through > the > > firewalls using the designated port and protocol. Additionally an fw > tab -t > > connections -u shows the connections for this device on both > firewalls. > > I have tried the obvious re-installation of policies, rebooting of > > firewalls, clearing of the entries in the connections table for the > src ip > > of the network device. > > My questions are: > > 1) why would tcpdump show traffic, but fw monitor returns no results > > It appears that "fw monitor" does not display packets for established > TCP connections. I believe there is some sort of fast processing magic > for established TCP that by passes a lot of the FW processing > including > the "fw monitor" hooks. > > That's my guess. I don't think I've seen this fully documented. But > I've > seen the same thing you describe in R65 SPlat. > > > 2) any idea why it would work for a couple days and then stop > working > > altogether. I'm thinking that is must have something to do with the > TCP > > session timeouts for this protocol or the type of connection that is > > established from this network device. > > Lemme guess. This "device" is some funky little thing with some > custom, quirky TCP/IP stack? Does it try to use the same source > port for all of its connections? Yes? We've had this same problem > with IP phones. Check Point has some "Smart Connection Re-use" > features that don't play well with some funny TCP/IP stacks. > > BĀ¼information contained in this e-mail message is confidential, intended > only for the use of the individual or entity named above. If the reader > of this e-mail is not the intended recipient, or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that any review, dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this e-mail > in error, please contact [EMAIL PROTECTED] > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
