Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sam_Ponder
Contributor

Management server behind a gateway managed by a different management server

Hi All - 

What is the best way of setting up the firewall rules/controls for a management server(6000) to manage external gateways, that is sitting behind a gateway managed by a different management server(410)?

I have tried to allow any service to/from the 6000 to/from the remote gateway and the 410 is showing allows to the traffic in the logs. However, in the logs in the 6000, I'm seeing drops due to "First packet isn't SYN".

 

Any suggestions? I have not opened a ticket yet but thought I would go this route first, in case I was missing something little.

Attached a simple diagram to incase I didn't describe it properly.

Thanks in advance.

Sam

cp-fw.jpg

 

 

0 Kudos
6 Replies
the_rock
Legend
Legend

Just to make sure I understand this right, based on your diagram, you want smart-1 6100 to be able to manage fw labeled "remote fw", right? But, the 6100 mgmt server sits behind the fw cluster thats managed by 410 server, correct?

If what I said is right, can you do capture on fw cluster and see whats happening with the traffic? First packet isnt SYN can mean asymetric routing, that it might not be part of an existing connection...maybe try turn off securexl on the fw just to be sure thats not causing the problem. I would definitely run fw monitor on the fw side to confirm why this is happening.

Andy

0 Kudos
Sam_Ponder
Contributor

Yes.. you understood me correctly Andy. 

Thanks for the suggestions. I will let you know. 

G_W_Albrecht
Legend Legend
Legend

In which logs of the 6000 SMS are you seeing drops due to "First packet isn't SYN".? It shows up in GW logs, so much i know.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sam_Ponder
Contributor

the drops show in both the logs and the zdebug command.

0 Kudos
Sam_Ponder
Contributor

When I did a fw monitor on the gateway, it seems to be trying to communicate with the internal IP of the mgmt appliance instead of the public/nat'd IP. 

I remember working a ticket once where we manually edited a conf file on the gateway to point it at a different IP. Does anyone know which file that is?

When I first joined this gateway to the mgmt appliance it was on the internal network of the management appliance. The gateway seems to only know this internal IP and not the external. SIC communicates just fine and have also re-established it. I have event removed the gateway from the 6000 and readded it back. The Gateway is still using the internal IP address to try to get policy from.

Suggestions?

 

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events