Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ankur_Datta
Collaborator

Cannot Ping firewall outside interface IPV6 from inside host

Hi Moderators,

In our production environment, we are deploying IPv6 addressing.  For testing purpose, we configured 1 server on Ipv6 address and configured Ipv6 addresses on firewall as well. The server is able to reach internet but cannot ping firewall outside IPv6 IP. 

The rule allows all services from server to firewall.

IPV6 IP is also configured on gateway object. 

We are getting accept logs when view in smart tracker.

When i run fw ctl zdebug + drop. I get following:

dropped by fw_handle_first_packet Reason: fwconn_key_init_links (INBOUND) failed

 

I checked sk86984 but this for custom port.

 

Kindly please guide.

5 Replies
Jerry
Mentor
Mentor

have you checked the ND routing on your gateways?
cross check the ::/masking on both. it is very usual mistake mate.
make sure that apart from icmp also tcp/udp packets flies in between the gateways (check the zdebug/logs (eld if needed) as well as fw monitor cpd/fwm traffic inter-crossing. ipv6 is tricky on CP and everywone knows that but believe me or not it is working 🙂
Jerry
0 Kudos
Ankur_Datta
Collaborator

Hi Jerry,

 

Routing is fine on gateway. The inside host is in a connected subnet. I can reach host Ipv6 IP from firewall. I will check the masking. 

Regarding SK, its for gateway till R77.20. 

Our gateway version is R77.30.

One more thing we found today. If we remove IPv6 and keep IPV4 only address. Server can't ping standby GW outside interface. 

traffic is going to primary firewall and then doesn't go out of outside interface.

in Fw monitor i am getting i & I. 

tcpdump shows echo request received on inside interface but no leaving traffic from outside interface.

logs says firewall is accepting the traffic.

Fw ctl zdebug + drop gives another reason for packet drop.

 dropped by fwchain_reject_mtu Reason: rejected

I checked sk119154, symptoms are same but we are not using VPN blade. Only firewall blade is being used.

 

 

0 Kudos
Ankur_Datta
Collaborator

Anyone please guide about this error:

 

dropped by fwchain_reject_mtu Reason: rejected

0 Kudos
Jerry
Mentor
Mentor

sk119154

Symptoms

•Cannot connect to the Standby member from a non-local subnet (source and destination are not on the same subnet).
•Connecting to the Standby member from a local subnet (source and destination are on the same subnet) works.
•When running # fw ctl zdebug drop on the Standby member, the following line can be seen:
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 2.2.2.2:443 -> 20.0.0.1:58522 dropped by fwchain_reject_mtu Reason: rejected;



Cause


Environment: VPN Visitor Mode is enabled on port 443.

When Visitor Mode is enabled, the Standby member will reject all traffic sent to it via the Visitor Mode port.

By default, Visitor Mode is enabled on port 443.
Jerry
(1)
Jerry
Mentor
Mentor

and what about this SK ?

sk102390: IPv6 ICMP traffic is dropped by "0 - Implied Rules"
Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events