[FW-1] Log and fw monitor Do Not Agree

Thu, 17 Apr 2008 11:17:16 -0700 

Last night, we swapped out an old Solaris box running NG-R55
for a new(er) SecurePlatform system running R65 HFA_02. It went
pretty smoothly, except for one weird problem. A VPN connection
that passed through the firewall stopped working. This was
working fine up until the swap. The rule set was not changed.
The only change to the policy for the swap were to the firewall
module itself, a SIC reset, change interface names, and new
Version and OS. The VPN is the only problem we've noticed.

The two endpoints of the VPN are Cisco routers. Each is behind
a different Check Point firewall with the Internet in between.
The catch is that we are NATing one end. That's where the new
firewall is and that seems to be what is broken. The firewall
is logging as if it is doing NAT,

Number:                                 6910875
Date:                                           17Apr2008
Time:                                           9:35:05
Product:                                        VPN-1 Power/UTM
Interface:                                      eth1
Origin:                                         10.160.251.6
Type:                                           Log
Action:                                         Accept
Service:                                        IKE (500)
Source:                                         msga-vpn-loop
(10.160.39.148)
Destination:                            EDH-VPN (aaa.bbb.103.193)
Protocol:                                       udp
Rule:                                           21
Current Rule Number:            21-canada-internet
NAT rule number:                        7
NAT additional rule number:     0
Source Port:                            ISAKMP (500)
XlateSrc:                                       MSG-VPN
(ccc.ddd.86.243)
Information:                            service_id: IKE
Rule UID:                             
        {1AE13B3D-BFF3-4C77-A225-17EC985D33F5}
SmartDefense Profile:           Default_Protection
Policy Info:                            Policy Name:
canada-internet
                                                Created at: Thu Apr 17
09:29:46 2008
                                                Installed from: fwmgr

But when I run "fw monitor" on the firewall,

[EMAIL PROTECTED] ~]# fw monitor -e 'accept sport=500;'
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
eth1:i[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313
UDP: 500 -> 500
eth1:I[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313
UDP: 500 -> 500
eth0:o[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313
UDP: 500 -> 500
eth0:O[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313
UDP: 500 -> 500
eth1:i[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327
UDP: 500 -> 500
eth1:I[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327
UDP: 500 -> 500
eth0:o[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327
UDP: 500 -> 500
eth0:O[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327
UDP: 500 -> 500

It does not look like it is doing NAT. So which do I trust? The
"fw monitor" or the log? They disagree. The fact that I never
see anything arrive at the other end makes me think it really
is not doing NAT and some ISP in between is filtering RFC1918
source addresses. I don't have another box on that link to
do a convenient sniff and running tcpdump on a SPlat box gives
funky results when doing NAT, so it isn't any help.

I've tried re-installing policy. No help. I don't see how tweaking
the policy and re-installing would help if the logs seem to
indicate the firewall is actually hitting the rules as intended.

I tried doing a "fw sam -I src 10.160.39.148" then after a
minute canceling it in order to clear any existing entry for
the connection from any state tables, but no change (the log
entry above is actually the one that popped up right after
I cleared the SAM rule).

What changed between R55 and R65? This a bug? How do I get
this VPN back up (short of reconfiguring the end points and
having to add a whole bunch of routing to the network to
work it without NAT)?

BĀ¼information contained in this e-mail message is confidential, intended
only for the use of the individual or entity named above. If the reader
of this e-mail is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this e-mail
in error, please contact [EMAIL PROTECTED] 

Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to