Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shivajith_S
Contributor

HI All,Any one can guide ?

[Expert@CTSG3Firewall]# tcpdump -nni any host 172.20.106.234
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
19:17:40.710318 IP 10.25.153.3.49522 > 172.20.106.234.443: Flags [S], seq 2707150385, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:17:43.716807 IP 10.25.153.3.49522 > 172.20.106.234.443: Flags [S], seq 2707150385, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:17:49.722827 IP 10.25.153.3.49522 > 172.20.106.234.443: Flags [S], seq 2707150385, win 8192, options [mss 1460,nop,nop,sackOK], length 0
19:18:00.721660 IP 10.25.153.3.49523 > 172.20.106.234.443: Flags [S], seq 2812651852, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:18:03.731702 IP 10.25.153.3.49523 > 172.20.106.234.443: Flags [S], seq 2812651852, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:18:09.737746 IP 10.25.153.3.49523 > 172.20.106.234.443: Flags

Not receiving return traffic ,while bypass firewall able connect VPN client ,through firewall can not see return traffic ..

using firewall model Checkpoint 750 small Business.

Any one can guide on further troubleshooting ideas....

9 Replies
Vladimir
Champion
Champion

Please be more specific:

What kind of VPN? IPSec or SSL?

VPN from where to where?

When you are bypassing firewall, are you unloading the policy or are physically bypassing it?

If second, what IP is assigned to the client and by which device?

Describe the topology of your setup.

0 Kudos
Shivajith_S
Contributor

HI Vladimir ,

please find the topology..

 

The Arrows segregating both network (2 different networks) .There is no internet connection,2 separate lease lines With Different brand FW VPN client able to connect , same implementation done with Checkpoint firewall instead of WAN int in fig 1 ,using LAN 5 as show in fig 5.

All required rules allowed(selected strict option) ,able to ping until ISP interfaces  ,icmp not allowed dst ip ,while try to establish VPN connection can see out going traffic for ex: PC A to dst ip 172.20.106.234 as per logs which in shared to before .

same issue for both networks

Not able to find where the incoming traffic dropping ...SSL VPN client not connecting  its showing not responded .

Firewall is Checkpoint 750 small business firewall ,R77.20.

kindly share if got any idea ....

0 Kudos
Vladimir
Champion
Champion

"Strict" policy explicitly prohibits all internal networks from talking to each other, so we'll have to dig a bit to figure out what is going on.

the IP you are showing is the RFC1918 address, so you are not going over connections to ISPs, but private lines that should be connected to other internal interfaces.

To verify, please include screenshots of:

Your routing settings:

Your configuration for ISP redundancy and NAT for the gateway, i.e.:

SSL Inspection Policy and Inspections:

And Firewall NAT policy settings (same screenshot as depicted here) and NAT Rules (3):

If the settings in the above section (2) are set to "On", turn it off, apply settings and try again.

Change Access Control Policy from "Strict" to "Standard" and attempt to establish SSL VPN.

For troubleshooting, use "fw monitor" command (please lookup sk describing its usage). The iIoO depicting traversal of the firewall's interfaces.

[Expert@drawbridge]# fw monitor -e "src=172.20.106.234 or dst=72.30.35.10 ,accept;"
fw: getting filter (from command line)
fw: compiling
monitorfilter:
Compiled OK.
fw: loading
fw: monitoring (control-C to stop)
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=12540 seq=3195
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=12540 seq=3196
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=12540 seq=3197
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=12540 seq=3198

If changing the policy from "Strict" to "Standard" worked, look closer at the rules you've created while using "Strict" policy.

Shivajith_S
Contributor

  • In this scenario there is no ISP redundancy , here PC A,PC B should communicate respective dst as show in figure with arrows. ( as mention 1 and 2 in fig),here 1 and 2 are separated  network .
  • that's why implemented with LAN 5 ( separated from LAN Switch ),DMZ instead using WAN int ( for example 1 as shown fig ) .
  • also tried with standard policy and with INT WAN (instead of LAN 5 ) for Network 1 able to ping to ISP 1 interface directly connected INTERFACE.Can not initiate VPN .
  • Until Firewall interface only under my control from LAN PC's .
  • Routing are directly connected ,
  • NAT is turned off as you mentioned .
  • The option which you mentioned SSL VPN inspection need to check with HTTPS categorization mode on my side weather how its working
  • With same setup will check with Standard Policy .

Thanks for your valuable replies ..

0 Kudos
Kim_Moberg
Advisor

Hi


Does this rely to r80.10? Might be a bug

https://community.checkpoint.com/thread/7267-tcpdump-r8010 


Thanks

Kim

Best Regards
Kim
0 Kudos
Vladimir
Champion
Champion

I do not think 750 appliance are capable of running R80.10.

My money is on simple configuration error.

0 Kudos
Normen_Sam-Sin3
Explorer

Nah, those 700 SMB GW’a are running on Gaia embedded R77.20.x and not (yet) on R80.

0 Kudos
Kim_Moberg
Advisor

I just saw you were using tcpdump with parametre -Penni and it also generated an error. This Tim Hall found as a bug. I dont know if this could be the issue. 

I would have removed the parametre to first see if traffic flows as expected.

I think Vladimir Yakovlev got a point about a misconfiguration.

Thanks

Kim


Best Regards
Kim
0 Kudos
Shivajith_S
Contributor

Hi All , Thanks for giving valuable info ,Special thanks to Vladimir ..

The issue got resolved its because of anti spoofing dropping.And modified routing and policy configuration .Now it working with Strict mode.In Cli globally disable the anti spoofing.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events