https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209251#M39643 <P><SPAN>Hi all,</SPAN></P><P>&nbsp;</P><P><SPAN>I have an issue with a connection that should be NATed.</SPAN></P><P><SPAN>The NAT that should be applied on a connection between 10.1.1.82 and 10.1.1.154 does not work:</SPAN></P><P>&nbsp;</P><P><SPAN>fw monitor -p all -e "accept(host(10.1.1.154));"</SPAN></P><P><SPAN>[vs_0][fw_2] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -&gt; 10.1.1.154 (50) len=104 id=5411</SPAN><BR /><BR /></P><P>&nbsp;</P><P><SPAN>A working connection shows this as next step:</SPAN></P><P><SPAN>[vs_0][fw_3] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -&gt; 172.1.1.7 (50) len=152 id=5014</SPAN><BR /><SPAN>[vs_0][fw_3] bond1.280:I17 (RTM packet in)[44]: 10.1.1.82 -&gt; 84.1.1.93 (50) len=152 id=5014</SPAN><BR /><BR /><BR /></P><P>So it looks like in the first scenario the processing stopped at chain module "<SPAN>fw post VM inbound".</SPAN></P><P><SPAN>It was working before but since we reapplied multi-queuing config on this cluster it stopped working.</SPAN></P><P><SPAN><BR />Any idea why ?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks Thomas</SPAN></P><P><SPAN>PS: Running R81.10</SPAN></P><P>&nbsp;</P> Wed, 20 Mar 2024 10:32:26 GMT TomShanti 2024-03-20T10:32:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209251#M39643 <P><SPAN>Hi all,</SPAN></P><P>&nbsp;</P><P><SPAN>I have an issue with a connection that should be NATed.</SPAN></P><P><SPAN>The NAT that should be applied on a connection between 10.1.1.82 and 10.1.1.154 does not work:</SPAN></P><P>&nbsp;</P><P><SPAN>fw monitor -p all -e "accept(host(10.1.1.154));"</SPAN></P><P><SPAN>[vs_0][fw_2] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -&gt; 10.1.1.154 (50) len=104 id=5411</SPAN><BR /><BR /></P><P>&nbsp;</P><P><SPAN>A working connection shows this as next step:</SPAN></P><P><SPAN>[vs_0][fw_3] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -&gt; 172.1.1.7 (50) len=152 id=5014</SPAN><BR /><SPAN>[vs_0][fw_3] bond1.280:I17 (RTM packet in)[44]: 10.1.1.82 -&gt; 84.1.1.93 (50) len=152 id=5014</SPAN><BR /><BR /><BR /></P><P>So it looks like in the first scenario the processing stopped at chain module "<SPAN>fw post VM inbound".</SPAN></P><P><SPAN>It was working before but since we reapplied multi-queuing config on this cluster it stopped working.</SPAN></P><P><SPAN><BR />Any idea why ?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks Thomas</SPAN></P><P><SPAN>PS: Running R81.10</SPAN></P><P>&nbsp;</P> Wed, 20 Mar 2024 10:32:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209251#M39643 TomShanti 2024-03-20T10:32:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209283#M39645 <P>Most likely, you're going to need to enable kernel debugs to see where the traffic goes (and why).<BR />Might need the TAC to help you figure out the correct debug flags to use here (and fix the underlying problem, of course):&nbsp;<A href="https://support.checkpoint.com/results/sk/sk98799" target="_blank">https://support.checkpoint.com/results/sk/sk98799</A>&nbsp;<BR /><BR /></P> Wed, 20 Mar 2024 14:09:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209283#M39645 PhoneBoy 2024-03-20T14:09:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209299#M39646 <P>Try running <STRONG>fw ctl zdebug drop</STRONG> while the traffic is not working, this will show you all live drops by any Check Point code along with a reason, even if it is not being logged.</P> Wed, 20 Mar 2024 15:07:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209299#M39646 Timothy_Hall 2024-03-20T15:07:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209304#M39650 <P>I would definitely do zdebug, to start with. Just to be 100% sure, can you remove multi q config and see if it works again?</P> <P>Andy</P> Wed, 20 Mar 2024 16:43:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209304#M39650 the_rock 2024-03-20T16:43:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209742#M39757 <P>1. it's better to use: fw monitor -p all -F "0,0,10.1.1.154,0,0"</P> <P>2. i also suggest to use 'fw ctl zdebug + drop" | grep 10.1.1.154</P> <P>&nbsp;</P> Tue, 26 Mar 2024 18:20:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209742#M39757 AmirArama 2024-03-26T18:20:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209763#M39761 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/34522">@TomShanti</a>&nbsp;if you are going to attempt to run a <STRONG>fw monitor -F</STRONG> and a <STRONG>fw ctl zdebug + drop</STRONG> simultaneously, be aware that you must do so in a particular order to keep the two commands from stepping on each other and causing problematic results.&nbsp; See here:&nbsp;&nbsp;<A href="https://community.checkpoint.com/t5/Security-Gateways/Max-Capture-Update-2-Debug-Filter-Battle-fw-monitor-F-vs-fw-ctl/m-p/147374" target="_blank" rel="noopener"><SPAN>Max Capture Update 2: Debug Filter Battle -- fw monitor -F vs. fw ctl zdebug + drop</SPAN></A></P> Tue, 26 Mar 2024 23:51:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Packet-processing-stops-after-chain-module-quot-fw-post-VM/m-p/209763#M39761 Timothy_Hall 2024-03-26T23:51:34Z