topic Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer in General Topics

TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

Di_Junior — Thu, 07 Feb 2019 17:41:18 GMT

Dear Mates

I need a hand.

We are currently having an issue with one of our application that is accessed through Check Point Endpoint Security. The application is behind a loadbalancer which then distributes the traffic to the servers where the applications are running.

We are doing NAT of the Office Pool with the VPN gateway internal address. So the IP that reaches the Load balancer is the IP of the VPN Gateway, which is then NATTed by the load balancer.

The issue is that the application sometimes works and other times it stops working. I did capture the traffic when it stops working, and the message i see is:

[Expert Info (Note/Sequence): A new tcp session is started with the same ports as an earlier session in this trace]
[A new tcp session is started with the same ports as an earlier session in this trace]

10.25.193.214 is the IP of the Loadbalancer

192.168.1.1 is the IP of the RA VPN gateway

I need an help to know if the port is being reused by the Firewall or the LoadBalancer. and How this situation could be resolved.

Thanks in advance

Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

PhoneBoy — Fri, 08 Feb 2019 20:48:43 GMT

The client is the one who determines what source port is being used.

When HIDE NAT is being used, it's a combination of the client and the NAT gateway.

Specifically, the NAT gateway will allocate a new port when a new connection is established through the gateway.

Presumably, in the case where the client reuses the same source ip/port to the same destination ip/port, you are triggering "connection reuse."

Do you see any messages related to this in your logs?

Maybe this feature needs to be disabled.

See: "Smart Connection Reuse" feature modifies some SYN packets

Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

Timothy_Hall — Fri, 08 Feb 2019 20:55:28 GMT

The Check Point does indeed re-use ports, please check out the following:

sk24960: "Smart Connection Reuse" feature modifies some SYN packets

sk103656: Dynamic NAT port allocation feature

For that second SK, you'll want to look at the fwx_nat_dynamic_port_allocation_entry_timeout variable specifically.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

Di_Junior — Sat, 09 Feb 2019 21:31:29 GMT

Hi Dameon Welch-Abernathy

I now check the log and the traffic is logged as shown bellow.

Any idea on how this could be overcomed?

Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

Di_Junior — Sun, 10 Feb 2019 00:22:43 GMT

Hi All

After an interaction with Check Point TAC, it was discovered that the http traffic was not being synchronized between the cluster members (we use LS unicat mode).

After changing the protocol propertiies, the application started working as expected.

Thanks

Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

PhoneBoy — Sun, 10 Feb 2019 04:56:33 GMT

That might cause the issue you saw in the logs

Re: TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

Timothy_Hall — Sun, 10 Feb 2019 15:44:31 GMT

Yeah, disabling state sync for services in any kind of Load Sharing deployment is not a good idea. In HA (active/standby) it can be used to reduce utilization in the sync network and CPU overhead quite a bit. Also don't try to upgrade your gateway to R80.20, as both forms of ClusterXL Load Sharing are not supported at this time.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com