topic Re: ICMP not leaving the firewall in Firewall and Security Management

ICMP not leaving the firewall

Logesh8 — Tue, 16 Aug 2022 16:18:30 GMT

Hello,

When I did a troubleshooting, I saw the weird response. Assume, Network device D1 is connected to CP firewall Interface eth1 and Network device D2 is connected to eth2 Interface. When Ping initiated from D1 to D2, I see packet entering eth1 and leaving eth2 and when got the response back, I see the response on eth2 but its not reached eth1. It observed via both FW monitor and TCPDUMP. Unfortunately, I am not seeing any drop by issuing command debug drop command.

Please suggest if you came across any.

Thank you in advance.

Re: ICMP not leaving the firewall

Bob_Zimmerman — Tue, 16 Aug 2022 18:17:41 GMT

What does the fw monitor show? i with no I? i-I with no o? i-I-o with no O? Something else?

Re: ICMP not leaving the firewall

Logesh8 — Wed, 17 Aug 2022 07:35:50 GMT

Hi,

I see the ICMP reply back on eth2 with "i" and "I" but I did not see "o" and "O".

Thank you

Re: ICMP not leaving the firewall

AndréTinoco — Wed, 17 Aug 2022 15:02:13 GMT

Hey!

There can be an issue with IP Forwarding on the interface. Can you paste the output of this command:

sysctl -a | grep forward | grep -v "mc_forwarding" | grep "= 0"

Regards,

André Tinoco

Re: ICMP not leaving the firewall

Logesh8 — Wed, 17 Aug 2022 15:08:13 GMT

HI Andre,

Thank you and sure.

Re: ICMP not leaving the firewall

Bob_Zimmerman — Thu, 18 Aug 2022 17:48:09 GMT

That means a routing problem. On the firewall, run 'ip route get <address>' for the destination of the reply (the client which sent the initial packet). Does it tell you traffic would go out the interface you expect?

Re: ICMP not leaving the firewall

the_rock — Thu, 18 Aug 2022 18:04:48 GMT

Agree with @Bob_Zimmerman

Re: ICMP not leaving the firewall

AndréTinoco — Fri, 19 Aug 2022 08:02:54 GMT

It might be routing problem, but for what Logesh8 wrote, the devices are directly connected to the interfaces. Should not have routing issue there.

@Logesh8 Can you elaborate on the topology? If there is routing involved, and the device is not directly connected, then Bob is probably right and you are missing the return route for that traffic.

Re: ICMP not leaving the firewall

Logesh8 — Fri, 19 Aug 2022 08:57:00 GMT

@Bob_Zimmerman , I have scheduled a troubleshooting call on Monday. I will give you more information.

Re: ICMP not leaving the firewall

Logesh8 — Fri, 19 Aug 2022 08:58:17 GMT

@AndréTinoco , Sure I will provide you more information about topology soon.

Re: ICMP not leaving the firewall

Markus_Genser — Fri, 19 Aug 2022 09:47:27 GMT

Hey just my two cents as you say both devices are directly connected and I assume firewall policy and anti-spoofing have been checked, did you check the subnet masks on both ports?

Not that the firewall isn't forwarding the traffic as it's assuming the subnet range belongs to eth2.

BR,

Markus

Re: ICMP not leaving the firewall

Logesh8 — Mon, 22 Aug 2022 17:04:36 GMT

Hi,

Yes checked.. When we run tcpdump for physical interface of the switch and router. Output is perfect but not the same when we run tcpdump for loopback IPs of switch and router.

Re: ICMP not leaving the firewall

Logesh8 — Mon, 22 Aug 2022 17:05:18 GMT

Hi, PFO,

net.bridge.lacp_forwarding = 0
net.ipv4.ip_forward_use_pmtu = 0

Re: ICMP not leaving the firewall

Logesh8 — Mon, 22 Aug 2022 17:06:18 GMT

Hi, IP route get shows the correct Interface details.