https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213558#M35320 <P>for some reasons so I have to use old ver&nbsp;</P><P>This is simple topo&nbsp;</P><P>&nbsp;</P> Wed, 08 May 2024 01:31:55 GMT Sacmaugacon 2024-05-08T01:31:55Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213537#M35316 <P>Hi every one,</P><P>Now I using CP VM and R77 smart dashboard</P><P>I have 2 subnets /24 on 2 eth, open policy any port.</P><P>everything appear normal, 2 hosts can ping and telnet each other on any port, but about 30 minutes after, 2 hosts on 2 subnets cant telnet on any port although they can still ping and trace routes each other follow the correct path.</P><P>When I reboot FW, every thing works fine again, but issue persists afterward.</P><P>I need assistance</P> Tue, 07 May 2024 21:09:31 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213537#M35316 Sacmaugacon 2024-05-07T21:09:31Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213545#M35317 <P>Do you have simple diagram? Even "paint" will do : - )</P> <P>Btw, Im sure you know R77 is way out of support, but this appears to be hopefully something simple, lets see. When issue is happening, can you do basic zdebug to see if fw is dropping anything? Is traffic being accepted on desired rule?</P> <P>Andy</P> Tue, 07 May 2024 22:59:50 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213545#M35317 the_rock 2024-05-07T22:59:50Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213549#M35318 <P>Why are using a release that has been End of Support for several years now?<BR />The most current (and recommended) release is R81.20.</P> Tue, 07 May 2024 23:27:26 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213549#M35318 PhoneBoy 2024-05-07T23:27:26Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213558#M35320 <P>for some reasons so I have to use old ver&nbsp;</P><P>This is simple topo&nbsp;</P><P>&nbsp;</P> Wed, 08 May 2024 01:31:55 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213558#M35320 Sacmaugacon 2024-05-08T01:31:55Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213559#M35321 <P>Where are you doing the 802.1Q trunking here: in VMware or in the VM itself?<BR />I can't imagine the later will go well.&nbsp;<BR />What are the precise specs of the VM you installed? This includes:</P> <UL> <LI>Disk space</LI> <LI>RAM</LI> <LI>Number of CPUs</LI> <LI>NIC Driver Types</LI> <LI>OS Type (In VMware, specify RHEL 5 for best results)</LI> </UL> <P>I would execute a tcpdump from the gateway when the problem is occurring to see if the traffic is actually getting to/from the gateway.</P> Wed, 08 May 2024 01:44:20 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213559#M35321 PhoneBoy 2024-05-08T01:44:20Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213565#M35324 <P>I trunking on uplink server</P><P>with VM, 4 cores. 8GB RAM, add 2 Network adapter for 2 vlan 105 and 106.<BR /><SPAN>when the problem is occurring, tcpdump -i eth5 host 10.0.105.105 and host 10.0.106.106, there traffic from 10.0.105.105 but no reply from 10.0.106.106, yet there are no logs on the firewall. icmp still has traffic</SPAN><BR /><BR /></P> Wed, 08 May 2024 03:49:09 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213565#M35324 Sacmaugacon 2024-05-08T03:49:09Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213566#M35325 <P>From what you're saying, you're tcpdumping on the egress interface of the C2S side of the connection and not seeing a reply, so the traffic is passing through and leaving the gateway. Troubleshooting needs to move further along the network to see where it's failing.&nbsp;</P> Wed, 08 May 2024 04:13:36 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213566#M35325 emmap 2024-05-08T04:13:36Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213568#M35326 <P>I try again<BR />When I telnet from 10.0.105.105 to 10.0.106.106<BR />TCP dump on eth2 , there&nbsp;<SPAN>traffic from 10.0.105.105&nbsp;to 10.0.106.106&nbsp;</SPAN></P><P><SPAN>TCP dump oneth5,&nbsp;<STRONG>there no traffic</STRONG> from 10.0.105.105&nbsp;to 10.0.106.106&nbsp;<BR />So&nbsp; is there any issue with the firewall</SPAN></P><P>&nbsp;</P> Wed, 08 May 2024 04:57:19 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213568#M35326 Sacmaugacon 2024-05-08T04:57:19Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213570#M35327 <P>Does the command 'fw ctl zdebug drop' work on that version? It's been so long I don't remember. If it does, it should why the gateway is dropping packets.&nbsp;</P> Wed, 08 May 2024 05:27:30 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213570#M35327 emmap 2024-05-08T05:27:30Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213571#M35328 <P><SPAN>Expert# fw ctl zdebug drop | grep 10.0.106.106</SPAN></P><P>fw_log_drop_ex: Packet proto=6 10.0.105.105:43571 -&gt; 10.0.106.106:3389 dropped by fw_runfilter_ex Reason: F_INDOM;<BR /><BR /></P><P>So how to fix this bug&nbsp;</P> Wed, 08 May 2024 05:45:57 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213571#M35328 Sacmaugacon 2024-05-08T05:45:57Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213573#M35330 <P>Do you have any domain objects configured / in the policy? If so, try removing them.&nbsp;</P> Wed, 08 May 2024 05:59:08 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213573#M35330 emmap 2024-05-08T05:59:08Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213582#M35336 <P>&nbsp;tks&nbsp; vrm&nbsp;<SPAN>&nbsp;</SPAN><A class="" href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/71054" target="_self"><SPAN class="">emmap</SPAN></A>, it done :)))</P> Wed, 08 May 2024 06:30:56 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213582#M35336 Sacmaugacon 2024-05-08T06:30:56Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213619#M35347 <P>Was that it?</P> Wed, 08 May 2024 11:10:06 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213619#M35347 the_rock 2024-05-08T11:10:06Z https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213698#M35361 <P>The reason&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/71054">@emmap</a>&nbsp;suggested removing Domain Objects is:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk31757" target="_blank">https://support.checkpoint.com/results/sk/sk31757</A><BR />Which is reasonable because I would not recommend using non-FQDN Domain Objects, which were the only option prior to R80.10.</P> Wed, 08 May 2024 22:55:22 GMT https://community.checkpoint.com/t5/General-Topics/The-connection-between-subnets-is-lost/m-p/213698#M35361 PhoneBoy 2024-05-08T22:55:22Z