topic Cannot Ping firewall outside interface IPV6 from inside host in General Topics

Cannot Ping firewall outside interface IPV6 from inside host

Ankur_Datta — Wed, 13 Mar 2019 06:46:10 GMT

Hi Moderators,

In our production environment, we are deploying IPv6 addressing. For testing purpose, we configured 1 server on Ipv6 address and configured Ipv6 addresses on firewall as well. The server is able to reach internet but cannot ping firewall outside IPv6 IP.

The rule allows all services from server to firewall.

IPV6 IP is also configured on gateway object.

We are getting accept logs when view in smart tracker.

When i run fw ctl zdebug + drop. I get following:

dropped by fw_handle_first_packet Reason: fwconn_key_init_links (INBOUND) failed

I checked sk86984 but this for custom port.

Kindly please guide.

Re: Cannot Ping firewall outside interface IPV6 from inside host

Jerry — Wed, 13 Mar 2019 08:15:57 GMT

have you checked the ND routing on your gateways?
cross check the ::/masking on both. it is very usual mistake mate.
make sure that apart from icmp also tcp/udp packets flies in between the gateways (check the zdebug/logs (eld if needed) as well as fw monitor cpd/fwm traffic inter-crossing. ipv6 is tricky on CP and everywone knows that but believe me or not it is working 🙂

Re: Cannot Ping firewall outside interface IPV6 from inside host

Jerry — Wed, 13 Mar 2019 08:27:55 GMT

and what about this SK ?

sk102390: IPv6 ICMP traffic is dropped by "0 - Implied Rules"

Re: Cannot Ping firewall outside interface IPV6 from inside host

Ankur_Datta — Wed, 13 Mar 2019 09:26:06 GMT

Hi Jerry,

Routing is fine on gateway. The inside host is in a connected subnet. I can reach host Ipv6 IP from firewall. I will check the masking.

Regarding SK, its for gateway till R77.20.

Our gateway version is R77.30.

One more thing we found today. If we remove IPv6 and keep IPV4 only address. Server can't ping standby GW outside interface.

traffic is going to primary firewall and then doesn't go out of outside interface.

in Fw monitor i am getting i & I.

tcpdump shows echo request received on inside interface but no leaving traffic from outside interface.

logs says firewall is accepting the traffic.

Fw ctl zdebug + drop gives another reason for packet drop.

dropped by fwchain_reject_mtu Reason: rejected

I checked sk119154, symptoms are same but we are not using VPN blade. Only firewall blade is being used.

Re: Cannot Ping firewall outside interface IPV6 from inside host

Ankur_Datta — Fri, 15 Mar 2019 06:29:43 GMT

Anyone please guide about this error:

dropped by fwchain_reject_mtu Reason: rejected

Re: Cannot Ping firewall outside interface IPV6 from inside host

Jerry — Fri, 15 Mar 2019 08:15:52 GMT

sk119154

Symptoms

•Cannot connect to the Standby member from a non-local subnet (source and destination are not on the same subnet).
•Connecting to the Standby member from a local subnet (source and destination are on the same subnet) works.
•When running # fw ctl zdebug drop on the Standby member, the following line can be seen:
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 2.2.2.2:443 -> 20.0.0.1:58522 dropped by fwchain_reject_mtu Reason: rejected;

Cause

Environment: VPN Visitor Mode is enabled on port 443.

When Visitor Mode is enabled, the Standby member will reject all traffic sent to it via the Visitor Mode port.

By default, Visitor Mode is enabled on port 443.