This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2023-10-12 10:16 AM

Facing weird issue with Route based tunnels and traffic is getting dropped

Hello,

This is again I stuck in same issue and not sure how to troubleshoot. I built a VTI tunnel and traffic is getting dropped with below messages.

I turned off

vpn accel

fwaccel off

disabled few parameters with fw ctl set int but in vain.

Any idea how do I handle this?

 

PPAK 0: Get before set operation succeeded of simple_debug_filter_off
[Expert@LPCPNETCORE-FW:0]# fw ctl zdebug + drop | grep 10.255.255.1
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';
@;3131804750;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1
10.255.255.1:476 -> 192.168.2.7:0 dropped by fw_send_log_drop Reason:
Rulebase drop - dropped due to 'drop optimization';

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-10-12 10:36 AM

Not sure if it could be related, but maybe check below settings. If its enabled, maybe disable it and install the policy to see if it changes the behavior.

Andy

[Expert@CP-gw:0]# fw ctl get int fwkern_optimize_drops_support
fwkern_optimize_drops_support = 1
[Expert@CP-gw:0]#

 

Screenshot_1.png

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-10-12 10:41 AM
In response to the_rock

Nah man - That is already done but no luck.

Drop Optimization is not enabled. In fact you and I had a previous thread on similar topic, eventually it ended or resolved on it own 😞

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-10-12 11:11 AM
In response to Blason_R

One thing I find odd from the drops is that it keeps saying rulebase drop, yet, there is no rule mentioned. 192.168.2.7, thats host on the other end?

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-10-12 03:20 PM

Hmm sounds to me like the firewall expired or has otherwise lost state for the existing ICMP "connection" between 10.255.255.1 and 192.168.2.7, which was probably initiated by 192.168.2.7,   However 10.255.255.1 does not know this and is still trying to use the dead connection to send replies.  Because it does not match anything in the state table, a rulebase lookup occurs and column-based matching has thrown out all possible rules with an accept action thus leaving only drops, and does not bother to figure out which rule will drop it to save resources as it doesn't matter anyway, since I suspect 10.255.255.1 is not allowed to initiate pings to 192.168.2.7.

fw ctl conntab | grep 10.255.255.1 can be used to see the current idle timer for that ICMP "connection", if Aggressive Aging is enabled the connection may get expired early if the firewall is running short of resources.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-10-12 06:12 PM
In response to Timothy_Hall

Well forgot to mention or not sure if that would be useful. 10.255.255.1 is a tunnel interface of peer and I have 10.255.255.2. 

192.168.2.7 is my lan server. And they are initiating a connection from that peer hence 10.255.255.1 which is an egress interface of that device is being used and those are the packets getting originated from the peer.

Thats a good insight and let me try looking 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-10-12 07:34 PM
In response to Blason_R

Whats the other side? AWS, Azure?

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-10-12 07:40 PM
In response to the_rock

Nope a SDWAN router from versa.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events