This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sanjay_S
Advisor
‎2021-04-09 05:35 AM

Traceroute Issue

Hi Team,

We are seeing a very weird behavior when we do the traceroute from the Source to destination behind the firewall. Checkpoint Hop is shown twice in the trace. Shows 2nd Hop as checkpoint and next hop would be based on the routing. Then again 5th Hop is shown as Checkpoint and destination.

Regards,

Sanjay S

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2021-04-09 08:23 AM

Sounds like a weird routing/NAT issue.
What version/JHF?
A network diagram would probably be helpful as well.
But I suspect this will require detailed network information to resolve and you might be better off engaging with the TAC.

0 Kudos
Sanjay_S
Advisor
‎2021-04-09 09:23 AM
In response to PhoneBoy

Thank you for helping me on this.

R80.30 and Take 227 is what we are running the firewalls. Captured traffic using fw monitor and i can clearly see it is reaching only once to the firewall. So as you said may be we need to involve TAC and also check the peer directly connected devices as well.

0 Kudos
Hugo_vd_Kooij
Advisor
‎2021-08-03 05:01 AM

Interresting. I have seen the same thing with R80.40 as well. But only on traceroute from Windows (ICMP) and not from Linux (UDP).

ICMP packets with TTL=0 and TTL=1 are only seen on the client side interface with fw monitor (`fw monitor -F 0,0,0,0,1`) .

My guess is that on ICMP the TTL count is lowered by 2 instead of 1. As the steps beyond the firewall are always consistent and do show the expected hops.

As we determined that this is just an unexpected thing but otherwise harmless we did not create a ticket for this. I might do it if I can build a lab that shows the same issue. But it would most likely just be for entertainment purposes for now.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor
‎2021-08-03 05:05 AM
In response to Hugo_vd_Kooij

Our customer setup is rather like:

Client ==> Internal router ==> Firewall ==> External router ==> {Internet}

 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events