This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dawei_Ye
Collaborator
‎2018-09-04 03:19 AM

tcpdump and fw monitor missed packets

We are digging a issue with our application department.

Testing by our QA dept. the http connection could be a 5-6s latency occasionally.

So we did a packet capture.

the normal post and response:

the post that occurring latency as follows:

You could see the red column should be the POST request but the tcpdump shows "not captured"

and we also captured via fw monitor:

we can only see the POST request but no reponse:

Have you guys meeting this issues before?

0 Kudos
14 Replies
JozkoMrkvicka
Authority
Authority
‎2018-09-04 04:15 AM

Maybe because of SecureXL enabled ? Did you turn it off during debugs ?

Please check following thread before disable SecureXL:

 

To get the full output of fw monitor (and tcpdump) you should disable Secure XL with the command: "fwaccel off". You can re-enable it after debugs with the command: "fwaccel on". Another alternative is to disable SecureXL only for particular IPs, as is mentioned in the link above.

PS: You should blurry IPs in your screenshots.

Kind regards,
Jozko Mrkvicka
0 Kudos
Dawei_Ye
Collaborator
‎2018-09-04 04:25 AM
In response to JozkoMrkvicka

Thank you ,Jozko.Blurred screenshots.

We disabled SecureXL.

Still the outputs as my screenshots.

0 Kudos
Vladimir
Champion
Champion
‎2018-09-04 05:11 AM

If this is a cluster of the gateways, I'd suggest using a span or mirror port on the switch(es) for definitive packet capture.

Have seen some asymmetrical weirdness a few times. 

0 Kudos
Dawei_Ye
Collaborator
‎2018-09-04 06:02 AM
In response to Vladimir

Hi Vladimir

Yes,our gateways are running clusterXL in Bridge mode.

You could see my second screenshots (captured on my WAN interface),actually ,the POST request is sent ,I think.But the tcpdump shows "TCP previous segment not captured".

Meanwhile,there is a normal output from our LAN interface ,but with latency.

So I don't think it is an asymmetrical problem.

0 Kudos
Vladimir
Champion
Champion
‎2018-09-04 06:19 AM
In response to Dawei_Ye

My point being is that you are looking at the traffic from L3 point of view only.

Incidentally, are you using vMAC on your clustered bridge?

And have you, perchance, added any other interfaces besides those in the bridge?

What kind of switches are on both sides of the bridge?

Thanks,

Vladimir

0 Kudos
Dawei_Ye
Collaborator
‎2018-09-05 02:20 AM
In response to Vladimir

yes ,the customer have already check the issues with Application dept. and they have already captured the packets on server side ,there is no latency.

We didnt' use vMAC feature.

and besides brigde interfaces,there is only one Mgmt interface for updates and management.

Regards,

Dawei Ye

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-09-04 07:05 AM

Can you please paste tcpdump and fw monitor command you have used ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Dawei_Ye
Collaborator
‎2018-09-05 02:08 AM
In response to JozkoMrkvicka

Hi Jozko,

these are commands for capture:

fw monitor -T -e "host(52.xx.xx.xx) or host(52.xx.xx.xx) and accept; "

tcpdump -e -w fw036-0904-wan.cap -i eth2-01 -nn host 52.xx.xx.xx or 52.xx.xx.xx -s 0
tcpdump -e -w fw036-0904-lan.cap -i eth2-02 -nn host 52.xx.xx.xx or 52.xx.xx.xx -s 0

52.xx.xx.xx are two servers used for test.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-11-18 12:02 PM

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: R80.x Performance Tuning and Debug Tips – fw monitor 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Alan_Long
Participant
‎2019-09-09 03:17 PM

Did you ever get an answer to your question? We are seeing very similar to what you are getting
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-09-15 12:14 PM
In response to Alan_Long

Could be indicative of frame loss at the NIC and/or NIC driver level, what does output of netstat -ni show?

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
Alan_Long
Participant
‎2019-09-15 01:10 PM
In response to Timothy_Hall

We found the issue was due to a rule that should have no affect on the traffic flow. We disabled the rule and all is good. This same rule is on several of our other external clusters, and they have no issue at all. Support is looking into it now.
0 Kudos
Setu2
Explorer
‎2023-03-15 04:41 AM
In response to Alan_Long

Hi Alan,

did you get an anwser from support about this?or they creat any SK?

 

0 Kudos
_Val_
Admin
Admin
‎2023-03-15 04:53 AM
In response to Setu2

@Setu2 this is a very old thread. With all supported versions today, fw monitor should show all the traffic, including fully accelerated packets. If you are still struggling, please open a new thread to discuss your issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events