This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
devegajo
Explorer
‎2019-05-03 08:12 AM

Packet being dropped..last fw monitor is fw VM inbound

We are having an issue with some connections, at least that we know. The connection is successfully made several times but from time to time randomly, the server is unable to reach the destination.

I ran a fw monitor and for the failed connections the packet just get up to [vs_0][fw_4] bond2.81:i9 (fw VM inbound ) while in a good connection the traffic goes through all the chain [vs_0][fw_4] bond1:O17 (Chain End).

Anybody can help?

 

Regards

Jorge

0 Kudos
Reply
3 Replies
PhoneBoy
Admin
Admin
‎2019-05-03 09:46 AM

This probably needs some fw ctl debug magic, something like fw ctl debug -m fw + drop with all the other necessary commands. See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
Reply
devegajo
Explorer
‎2019-05-13 08:37 AM
In response to PhoneBoy

Hi I did a fw monitor

fw monitor -e 'accept ((src=172.16.116.74 , dst=194.165.190.103) or (src=172.16.116.70 , dst=194.165.190.103));' -p all

and for the working connections I can see

 

[vs_0][fw_1] bond2.81:i0 (IP Options Strip (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i1 (vpn multik forward in)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i2 (vpn decrypt)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i3 (l2tp inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i4 (Stateless verifications (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i5 (fw multik misc proto forwarding)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i6 (vpn tagging inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i7 (vpn decrypt verify)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i8 (SecureXL conn sync)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:i9 (fw VM inbound )[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I10 (fw accounting inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I11 (vpn policy inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I12 (SecureXL inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I13 (RTM packet in)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I14 (fw SCV inbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I15 (passive streaming (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I16 (TCP streaming (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I17 (IP Options Restore (in))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I18 (HA Forwarding)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond2.81:I19 (Chain End)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o0 (IP Options Strip (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o1 (vpn multik forward out)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o2 (vpn nat outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o3 (TCP streaming (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o4 (passive streaming (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o5 (vpn tagging outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o6 (Stateless verifications (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o7 (NAC Packet Outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:o8 (fw VM outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O9 (vpn policy outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O10 (SecureXL outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O11 (l2tp outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O12 (vpn encrypt)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O13 (RTM packet out)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O14 (fw accounting outbound)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O15 (TCP streaming post VM)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O16 (IP Options Restore (out))[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000
[vs_0][fw_1] bond1:O17 (Chain End)[60]: 172.16.116.74 -> 194.165.190.103 (TCP) len=60 id=62230
TCP: 38534 -> 1093 .S.... seq=de928dc4 ack=00000000

but in a failed attemtp

[vs_0][fw_4] bond2.81:i0 (IP Options Strip (in))[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i1 (vpn multik forward in)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i2 (vpn decrypt)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i3 (l2tp inbound)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i4 (Stateless verifications (in))[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i5 (fw multik misc proto forwarding)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i6 (vpn tagging inbound)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i7 (vpn decrypt verify)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i8 (SecureXL conn sync)[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373
TCP: 36492 -> 1093 .S.... seq=1033fef3 ack=00000000
[vs_0][fw_4] bond2.81:i9 (fw VM inbound )[60]: 172.16.116.70 -> 194.165.190.103 (TCP) len=60 id=47373

 

Regards

 

0 Kudos
Reply
Martin_Peinsipp
Contributor
‎2019-10-02 03:34 AM
In response to devegajo

Hi!

We had the same problem with different ssh-connections on a VSX-Cluster. FW Monitor showed the same results.

After a CKP-Case (to be honest, there was no solution after a lot of debugs) we toggled the cluster-node from node 1 to node 2 and then back to node 1 again.

After this, the connections worked fine again. 🙂

Best regards

Martin

0 Kudos
Reply