This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kiadmin
Participant
‎2024-01-26 01:27 AM

Bridge routing failure

Hi

I'm struggling with the following problem:

We are working with a single Quantum 6600 (latest patches applied). I want traffic (udp/tcp doesn't matter) to go from a subnet (A) on a Bridge-Interface (with Gateway-IP for the according subnet) which has two vlan-adapters (from two separate physical adapters, one 1GBit copper/one 10GBit fibre) as members to another network. It doesn't matter if I try to reach a local system in a different internal subnet or a system in the internet, the bridge routing failure occurs.

In Smartconsole the log for the rule allowing traffic between the machine in subnet A and all other machines in those other networks shows no drops; everything looks fine.

Using Kernel debug logs I observe an error IP(A)->IP(B) dropped by fw_log_ip_routing_failure Reason: IP routing failed (bridge routing failure)

Incoming traffic from different networks via different protocols into said subnet A works flawlessly. So this error only and always occurs on outgoing traffic but not on incoming.

Anyone with any ideas how to dig deeper into that problem?

Hope I have made myself clear and best regards

Maik

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-01-27 01:36 PM

Please show the problematic flow in terms of a simple network diagram involving the gateway.

0 Kudos
kiadmin
Participant
‎2024-01-29 05:39 AM
In response to PhoneBoy

Thanks for your reply.

Attached is a sketch of the involved systems. The gateway of all attached subnets is always the respective device (interface/vlan-if/bridge) on the Check Point device. So the gateway of a problematic host (say 192.168.5.5) is the IP on br1 (here 192.168.5.1). Monitoring traffic (as well as access to the webinterface on that host via 443) towards that host (or others in that subnet) works flawlessly. Only the outgoing packets from hosts in that subnet are dropped by the firewalls kernel with the given error after passing firewall policies without any issues.

Checkpoint-error.png

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-01 07:16 PM
In response to kiadmin

So you’re receiving traffic on one bridge interface, but routing it out a different interface rather than the other interface on the bridge?
I’m not certain if this is a supported configuration or not.
I would consult with the TAC (either to confirm non-support or address what could be a bug): https://help.checkpoint.com

0 Kudos
the_rock
Legend
Legend
‎2024-01-29 09:52 AM

Below may help.

Best,

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Traffic-logs-show-drop-message-quot-IP-routing...

 

 

0 Kudos
kiadmin
Participant
‎2024-02-01 01:11 AM
In response to the_rock

Thanks.

Unfortunately this seems to be a different topic. After digging for more informations I observed that not all packets are dropped. Some are getting through (roughly 50%). It seems to me that there is some internal mishandling of the bridge interface, maybe due to internally using the gateway ip on both interfaces (Thats what i get when importing the interfaces topology into the gateways network management)? In general I would have expected to obtain ONE bridge interface with the gateway ip in the network topology not the two interfaces with the same IP, each.

I'm quite sure i followed the documentation by creating a bridge from the two vlan interfaces and adding the gateway ip to the bridge; that would be the standard way, no? The bridge, as "virtual switch", should simply span the broadcast domain between both segments...

I'm running out of ideas at the moment. I'm thinking about changing the network topology so that I can bypass the bridge interface, but that would mean some work, a structure I wouldn't "prefer" and which I don't think can be the right way to go. It should just work with this bridge interface.

I opened a service request at my vendor. Let's see if Check Point can help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events