This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2019-02-07 09:41 AM

TCP port reuse between Check Point Remote Access Gateway and Loadbalancer

Dear Mates

I need a hand.

We are currently having an issue with one of our application that is accessed through Check Point Endpoint Security. The application is behind a loadbalancer which then distributes the traffic to the servers where the applications are running.

We are doing NAT of the Office Pool with the VPN gateway internal address. So the IP that reaches the Load balancer is the IP of the VPN Gateway, which is then NATTed by the load balancer.

The issue is that the application sometimes works and other times it stops working. I did capture the traffic when it stops working, and the message i see is: 

[Expert Info (Note/Sequence): A new tcp session is started with the same ports as an earlier session in this trace]
[A new tcp session is started with the same ports as an earlier session in this trace]

10.25.193.214 is the IP of the Loadbalancer

192.168.1.1 is the IP of the RA VPN gateway

I need an help to know if the port is being reused by the Firewall or the LoadBalancer. and How this situation could be resolved.

Thanks in advance

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-02-08 12:48 PM

The client is the one who determines what source port is being used.

When HIDE NAT is being used, it's a combination of the client and the NAT gateway.

Specifically, the NAT gateway will allocate a new port when a new connection is established through the gateway.

Presumably, in the case where the client reuses the same source ip/port to the same destination ip/port, you are triggering "connection reuse."

Do you see any messages related to this in your logs?

Maybe this feature needs to be disabled.

See: "Smart Connection Reuse" feature modifies some SYN packets 

0 Kudos
Di_Junior
Advisor
Advisor
‎2019-02-09 01:31 PM
In response to PhoneBoy

Hi Dameon Welch-Abernathy

I now check the log and the traffic is logged as shown bellow.

Any idea on how this could be overcomed?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-02-08 12:55 PM

The Check Point does indeed re-use ports, please check out the following:

sk24960: "Smart Connection Reuse" feature modifies some SYN packets

sk103656: Dynamic NAT port allocation feature

For that second SK, you'll want to look at the fwx_nat_dynamic_port_allocation_entry_timeout variable specifically.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Di_Junior
Advisor
Advisor
‎2019-02-09 04:22 PM

Hi All

After an interaction with Check Point TAC, it was discovered that the http traffic was not being synchronized between the cluster members (we use LS unicat mode).

After changing the protocol propertiies, the application started working as expected.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-09 08:56 PM
In response to Di_Junior

That might cause the issue you saw in the logs Smiley Happy

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-02-10 07:44 AM
In response to Di_Junior

Yeah, disabling state sync for services in any kind of Load Sharing deployment is not a good idea.  In HA (active/standby) it can be used to reduce utilization in the sync network and CPU overhead quite a bit.  Also don't try to upgrade your gateway to R80.20, as both forms of ClusterXL Load Sharing are not supported at this time.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events