Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

R80.30 and HFA 195 - TCP state logging stopped working

Hi,

after update from R80.30 HFA140 to R80.30 HFA195 I see that TCP state logging stopped working. In logs I see just “SYN sent” even if the TCP session is successful.

I tried to disable Secure XL (fwaccel off) and that resolves the issue. Problem is that in R80.30 option to disable SecureXl permanently simply doesn`t exist. Do you have any idea how to disable SecureXL permanently or have correct tcp state logging with SexureXL enabled? I would like to have working TCP state logging all the time which is crucial during quick troubleshooting basing on Smartlog (instead of packet capture). Thanks.

 

/BR

MK

 

 

0 Kudos
8 Replies
Highlighted
Admin
Admin

We removed the ability to permanently disable SecureXL in R80.20.
If the solution to your problem involves disabling SecureXL, it's a bug and you should open a TAC case.
0 Kudos
Highlighted

Thank you for the quick reply PhoneBoy. I`ve opened a case 22nd of May (just after an upgrade), but unfortunately I have to say that support is not very responsive :\. Support "ping-pong" as usual, no quick hints at all. If you could help regarding this then I can provide you a service request number. Thanks!

0 Kudos
Highlighted
Admin
Admin

Can you send me the TAC SR in a PM?
I'll have someone look at it.
Highlighted

@PhoneBoy, I`ve sent the SR number in a PM, Thanks!

0 Kudos
Highlighted
Admin
Admin

There are two options: 

sk162492 or sk104468

Highlighted

Hi Valeri,

 

I`ve a quite simple scenario for testing this.  I`ve a tool which periodically does "telnet 1.2.3.4 443" over IPSEC tunnel to ensure that this is up. Source address is NAT`ed. The issue is very easy to replicate:

 

GW1> fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

 

Smartlog for the connection try:

Tcp State    Both FIN

 

GW1> fwaccel on
SecureXL device enabled.
GW1> fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

 

Smartlog for the connection try:

Tcp State    SYN sent

 

Of course after "fwaccel on" "telnet 1.2.3.4 443" is still successful, just Tcp State logging doesn`t show correct TCP state.

 

Case related to 1.2.3.4 is not just single address issue. When SecureXL is enabled we have problems with correct TCP state logging regarding many connections.

@_Val_ thank you for the suggestions. I`ve reviewed the SK`s.

sk162492

Disabling the SecureXL immediately resolves the issue which in my opinion confirms that there is bug in HFA195. In HFA140 TCP state logging worked correctly with SecureXL enabled.

sk104468

I would like to have correct TCP state logging for all traffic. I suspect that SecureXL exception for 0.0.0.0/0 is probably not a good idea?

 

 

 

0 Kudos
Highlighted
Admin
Admin

1. If disabling acceleration fixed the issue, open TAC case at once.

2. No, not a good idea at all 🙂

Highlighted

Sure, I opened a case just after upgrade to HFA195 on 22nd of May, but for now there is no resolution.

0 Kudos