Hi Valeri,
I`ve a quite simple scenario for testing this. I`ve a tool which periodically does "telnet 1.2.3.4 443" over IPSEC tunnel to ensure that this is up. Source address is NAT`ed. The issue is very easy to replicate:
GW1> fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
Smartlog for the connection try:
Tcp State Both FIN
GW1> fwaccel on
SecureXL device enabled.
GW1> fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
Smartlog for the connection try:
Tcp State SYN sent
Of course after "fwaccel on" "telnet 1.2.3.4 443" is still successful, just Tcp State logging doesn`t show correct TCP state.
Case related to 1.2.3.4 is not just single address issue. When SecureXL is enabled we have problems with correct TCP state logging regarding many connections.
@_Val_ thank you for the suggestions. I`ve reviewed the SK`s.
sk162492
Disabling the SecureXL immediately resolves the issue which in my opinion confirms that there is bug in HFA195. In HFA140 TCP state logging worked correctly with SecureXL enabled.
sk104468
I would like to have correct TCP state logging for all traffic. I suspect that SecureXL exception for 0.0.0.0/0 is probably not a good idea?