topic R80.30 and HFA 195 - TCP state logging stopped working in General Topics

R80.30 and HFA 195 - TCP state logging stopped working

Maciej_Krol — Thu, 28 May 2020 15:31:52 GMT

Hi,

after update from R80.30 HFA140 to R80.30 HFA195 I see that TCP state logging stopped working. In logs I see just “SYN sent” even if the TCP session is successful.

I tried to disable Secure XL (fwaccel off) and that resolves the issue. Problem is that in R80.30 option to disable SecureXl permanently simply doesn`t exist. Do you have any idea how to disable SecureXL permanently or have correct tcp state logging with SexureXL enabled? I would like to have working TCP state logging all the time which is crucial during quick troubleshooting basing on Smartlog (instead of packet capture). Thanks.

/BR

Re: R80.30 and HFA 195 - TCP state logging stopped working

PhoneBoy — Thu, 28 May 2020 16:30:50 GMT

We removed the ability to permanently disable SecureXL in R80.20.
If the solution to your problem involves disabling SecureXL, it's a bug and you should open a TAC case.

Re: R80.30 and HFA 195 - TCP state logging stopped working

Maciej_Krol — Thu, 28 May 2020 16:37:40 GMT

Thank you for the quick reply PhoneBoy. I`ve opened a case 22nd of May (just after an upgrade), but unfortunately I have to say that support is not very responsive :\. Support "ping-pong" as usual, no quick hints at all. If you could help regarding this then I can provide you a service request number. Thanks!

Re: R80.30 and HFA 195 - TCP state logging stopped working

PhoneBoy — Thu, 28 May 2020 20:15:14 GMT

Can you send me the TAC SR in a PM?
I'll have someone look at it.

Re: R80.30 and HFA 195 - TCP state logging stopped working

Maciej_Krol — Thu, 28 May 2020 21:58:04 GMT

@PhoneBoy, I`ve sent the SR number in a PM, Thanks!

Re: R80.30 and HFA 195 - TCP state logging stopped working

_Val_ — Fri, 29 May 2020 07:34:14 GMT

There are two options:

sk162492 or sk104468

Re: R80.30 and HFA 195 - TCP state logging stopped working

Maciej_Krol — Fri, 29 May 2020 10:10:35 GMT

Hi Valeri,

I`ve a quite simple scenario for testing this. I`ve a tool which periodically does "telnet 1.2.3.4 443" over IPSEC tunnel to ensure that this is up. Source address is NAT`ed. The issue is very easy to replicate:

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

Smartlog for the connection try:

Tcp State Both FIN

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

Smartlog for the connection try:

Tcp State SYN sent

Of course after "fwaccel on" "telnet 1.2.3.4 443" is still successful, just Tcp State logging doesn`t show correct TCP state.

Case related to 1.2.3.4 is not just single address issue. When SecureXL is enabled we have problems with correct TCP state logging regarding many connections.

@_Val_ thank you for the suggestions. I`ve reviewed the SK`s.

sk162492

Disabling the SecureXL immediately resolves the issue which in my opinion confirms that there is bug in HFA195. In HFA140 TCP state logging worked correctly with SecureXL enabled.

sk104468

I would like to have correct TCP state logging for all traffic. I suspect that SecureXL exception for 0.0.0.0/0 is probably not a good idea?

Re: R80.30 and HFA 195 - TCP state logging stopped working

_Val_ — Fri, 29 May 2020 10:20:46 GMT

1. If disabling acceleration fixed the issue, open TAC case at once.

2. No, not a good idea at all 🙂

Re: R80.30 and HFA 195 - TCP state logging stopped working

Maciej_Krol — Fri, 29 May 2020 10:42:10 GMT

Sure, I opened a case just after upgrade to HFA195 on 22nd of May, but for now there is no resolution.