This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sanjay_S
Advisor
‎2020-07-14 05:08 AM

Issue with one particular IP

Hi All,

We are facing a weird issue with a particular IP accessing the ip in other subnet.

Example:

Host1 - 10.10.10.10 - Behind interface eth1.10

Host2 - 20.20.20.20 - Behind interface eth1.20

When we ping from 10.10.10.10 to 20.20.20.20 the access is not working.

when i run tcpdump on eth1.10 i can see the traffic hitting the interface but i am not seeing it when i run tcpdump on eth1.20.

When i run the fw monitor i am not seeing any traffic at all even after running it disabling the secureXL.

I run fw ctl zdebug drop | grep 10.10.10.10 i am not seeing any drops as well. So not sure what is happening to the traffic. Any suggestions please?

 

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2020-07-14 05:24 AM

If you do not see any traffic on the FW even when acceleration is disabled, it is most probably an external networking issue. Please check the routing, and also check that ARP of eth1.1 appears on the adjacent networking devices. 

0 Kudos
Sanjay_S
Advisor
‎2020-07-14 05:52 AM
In response to _Val_

Hi Val,

Thank you for the input. I can see both hosts arp entries on the firewall on respective interfaces. I can see traffic on source interface example echo request packet can be seen on eth1.10 but i am not seeing the same packet on eth1.20. So traffic is seen on source interface but not after that. Not even zdebug is helping me to find the packet. 😞

0 Kudos
_Val_
Admin
Admin
‎2020-07-14 05:54 AM
In response to Sanjay_S

what fw monitor shows you?

0 Kudos
Sanjay_S
Advisor
‎2020-07-14 11:20 AM
In response to _Val_

Hi Val,

 

Fw monitor shows nothing.

0 Kudos
_Val_
Admin
Admin
‎2020-07-14 11:51 PM
In response to Sanjay_S

Looks like an ARP issue to me. Check @Timothy_Hall 's recommendation below

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-07-14 05:53 AM

when i run tcpdump on eth1.10 i can see the traffic hitting the interface but i am not seeing it when i run tcpdump on eth1.20.

Use the -e flag with your tcpdump on eth1.10, does the destination MAC address correspond to the firewall's interface?  If not the frame is showing up in your tcpdump because the interface is placed in promiscuous mode while tcpdump is running, but because the destination MAC does not match the firewall's interface the frame is not being picked up off the wire for handling on the firewall.

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com
0 Kudos
Sanjay_S
Advisor
‎2020-07-15 08:49 AM
In response to Timothy_Hall

Hi Timothy,

Thank you for your suggestion. We actually found the issue and yet to be fixed. I will update on this once resolved.

0 Kudos