topic Re: Fw Monitor Command doesn´t show Virtual system traffic in General Topics

Fw Monitor Command doesn´t show Virtual system traffic

Albottini — Fri, 10 Dec 2021 19:17:10 GMT

hello Guys! i´m having some issues troubleshooting a Site to Site VPN Traffic,

i have a Virtual system to all my Site to Site VPN on a cluster with r80.40 OS, both cluster gateways are 23500 series,

i need to check some specific incoming and outgoing traffic that pass trough a client´s Site to Site VPN,

The problem:

i can see traffic with the graphic interface named logs and monitor but only http and https traffic,

i´m doing a ping from the source (172.27.0.34) to destination (10.8.0.6) and i don´t see it, on logs and monitor

also the ping request don´t have any response ( timeout for this request)

the firewall have two virtual interfaces ( wrp256 to inside traffic and wrp257 to outside traffic) , i´m trying to use tcpdump on that interfaces and don´t show nothing ,

what i´m typing: (tcpdump -i wrp256 | grep 172.27.0.34) and (tcpdump -i wrp257 | grep 10.8.0.6)

i´m also trying to use:

fw monitor -v4 -F "172.27.0.34,0,10.80.6,0,0" and doesn´t work either (the command only shows my ssh connection to the active vsx gateway of the cluster = 10.1.250.246 is the active cluster gateway and 180.183.70.39 is my pc)

i think i´m doing something wrong when i´m typing the commands can you help me guys?

Re: Fw Monitor Command doesn´t show Virtual system traffic

KostasGR — Sat, 11 Dec 2021 07:36:50 GMT

Hello @Albottini

You can try

fw monitor -v < VSID > -e < expression >

And

tcpdump -i wrp256 on one session

and

tcpdump -i wrp257 on another.

BR,
Kostas

Re: Fw Monitor Command doesn´t show Virtual system traffic

Oliver_Fink — Sat, 11 Dec 2021 14:10:58 GMT

"10.80.6" does not look like a valid IP to me. Should it be "10.8.0.6" instead?

Re: Fw Monitor Command doesn´t show Virtual system traffic

Timothy_Hall — Sat, 11 Dec 2021 14:37:39 GMT

Oliver is correct @KostasGR, you must specify a valid IP address in a fw monitor -F filter and cannot leave the last octet off hoping to match the first three octets, nor can you use CIDR notation (/24) nor any kind of wildcard like * or ?. Also keep in mind that ICMP traffic is never accelerated by SecureXL and will always go F2F.

However as noted in my Max Capture video series (the relevant page is below), tcpdump/cppcap won't usually give you a complete capture (or perhaps not even show any packets at all) when used on a Wrp interface due to a SecureXL feature called "warp jump". The recommendation for successfully capturing traffic on a Wrp interface according to the various SKs is to use "fw monitor", but those SKs do not specify whether to use the -e option (which captures inside F2F/INSPECT) or -F (which captures packets in sim/SecureXL).

I would think that fw monitor -F would show the packets you need on a Wrp interface if given a proper filtering syntax, but there is the possibility you'll need to to disable SecureXL completely (or exclude the desired traffic from SecureXL acceleration via steps in sk104468) and use fw monitor -e instead.

Re: Fw Monitor Command doesn´t show Virtual system traffic

Albottini — Wed, 15 Dec 2021 13:55:52 GMT

the ip is 10.8.0.6 it was a typing error

Re: Fw Monitor Command doesn´t show Virtual system traffic

Albottini — Wed, 15 Dec 2021 13:57:46 GMT

hello it was a typing error the ip is 10.8.0.6

Re: Fw Monitor Command doesn´t show Virtual system traffic

Albottini — Thu, 16 Dec 2021 12:05:17 GMT

where can i find a cppcap user guide ?

Re: Fw Monitor Command doesn´t show Virtual system traffic

Timothy_Hall — Thu, 16 Dec 2021 13:05:40 GMT

The main documentation is the SK for cppcap:

sk141412: Running tcpdump causes high CPU usage - Introducing cppcap

Beyond that the most extensive documentation would be my "Max Capture: Know your packets" self-guided video series which has lots of use cases, examples, and a compare/contrast with the other three capturing tools (tcpdump, fw monitor -e, and fw monitor -F).