Packet being dropped..last fw monitor is fw VM inb...

devegajo · ‎2019-05-03

We are having an issue with some connections, at least that we know. The connection is successfully made several times but from time to time randomly, the server is unable to reach the destination.

I ran a fw monitor and for the failed connections the packet just get up to [vs_0][fw_4] bond2.81:i9 (fw VM inbound ) while in a good connection the traffic goes through all the chain [vs_0][fw_4] bond1:O17 (Chain End).

Anybody can help?

Regards

Jorge

PhoneBoy · ‎2019-05-03

This probably needs some fw ctl debug magic, something like fw ctl debug -m fw + drop with all the other necessary commands. See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

devegajo · ‎2019-05-13

Hi I did a fw monitor

fw monitor -e 'accept ((src=172.16.116.74 , dst=194.165.190.103) or (src=172.16.116.70 , dst=194.165.190.103));' -p all

and for the working connections I can see

[vs_0][fw_1] bond2.81:i0 (IP Options Strip (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i1 (vpn multik forward in)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i2 (vpn decrypt)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i3 (l2tp inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i4 (Stateless verifications (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i5 (fw multik misc proto forwarding)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i6 (vpn tagging inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i7 (vpn decrypt verify)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i8 (SecureXL conn sync)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i9 (fw VM inbound )[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I10 (fw accounting inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I11 (vpn policy inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I12 (SecureXL inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I13 (RTM packet in)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I14 (fw SCV inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I15 (passive streaming (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I16 (TCP streaming (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I17 (IP Options Restore (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I18 (HA Forwarding)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I19 (Chain End)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o0 (IP Options Strip (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o1 (vpn multik forward out)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o2 (vpn nat outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o3 (TCP streaming (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o4 (passive streaming (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o5 (vpn tagging outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o6 (Stateless verifications (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o7 (NAC Packet Outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o8 (fw VM outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O9 (vpn policy outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O10 (SecureXL outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O11 (l2tp outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O12 (vpn encrypt)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O13 (RTM packet out)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O14 (fw accounting outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O15 (TCP streaming post VM)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O16 (IP Options Restore (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O17 (Chain End)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000

but in a failed attemtp

[vs_0][fw_4] bond2.81:i0 (IP Options Strip (in))[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i1 (vpn multik forward in)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i2 (vpn decrypt)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i3 (l2tp inbound)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i4 (Stateless verifications (in))[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i5 (fw multik misc proto forwarding)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i6 (vpn tagging inbound)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i7 (vpn decrypt verify)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i8 (SecureXL conn sync)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i9 (fw VM inbound )[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373

Regards

Martin_Peinsipp · ‎2019-10-02

Hi!

We had the same problem with different ssh-connections on a VSX-Cluster. FW Monitor showed the same results.

After a CKP-Case (to be honest, there was no solution after a lot of debugs) we toggled the cluster-node from node 1 to node 2 and then back to node 1 again.

After this, the connections worked fine again. 🙂

Best regards

Martin

Are you a member of CheckMates?

Packet being dropped..last fw monitor is fw VM inbound