This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gtzakis
Participant
‎2019-10-08 10:33 PM

Gateway not replying to pings

Hello all,

 

we upgraded one Security Gateway to R80.20 and we have a really strange behavior.

The gateway doesn't reply to ping requests. 

We see logs that the request is accepted, and the tcpdump and fwmonitor shows that the requests successfully reach the gateway, but both tcpdump and fwmonitor don't show replies. Also on zdebug we don't see any drops at all.

We disabled SecureXL with "fwaccel off", because it has caused some problems on others upgrades and the issue persists.

It is really weird, and we cannot think what may cause this problem.

Find below tcpdump output with some requests but without replies!

08:27:18.461003 IP 10.x.78.154 > 10.x.78.1: ICMP echo request, id 6556, seq 38729, length 87
08:27:19.462044 IP 10.x.78.154 > 10.x.78.1: ICMP echo request, id 6556, seq 38730, length 87
08:27:20.463021 IP 10.x.78.154 > 10.x.78.1: ICMP echo request, id 6556, seq 38731, length 87

The 10.x.78.1 is the VIP of the cluster, and the server with 10.x.78.154 is an esxi that has to ping the default gateway as a Keep Alive mechanism.

Can you think of something to investigate, because we have reached a wall.

Thank you all

0 Kudos
9 Replies
Maarten_Sjouw
Champion
Champion
‎2019-10-08 10:41 PM

Do you have vMAC enabled? If not enable it and see how that works?
There is no impact in doing so, it will take a little while for the new vMAC to be used on all equipment, so give it a few minutes.
Also look at the latest jumbo. There have been a lot problems with R80.20, including memory leaks, that are resolved in the latest jumbo.
Regards, Maarten
0 Kudos
Benedikt_Weissl
Advisor
‎2019-10-09 12:37 AM

Can you initiate the ping to the esxi from the gateway? Is IPS active? Do you see anything in the logfiles?

0 Kudos
gtzakis
Participant
‎2019-10-09 12:47 AM
In response to Benedikt_Weissl

Yes we can initiate the ping from the gateway to esxi, and works fine.

IPS is not active, and the logs show that the icmp is accepted as excepted.

 

0 Kudos
Benedikt_Weissl
Advisor
‎2019-10-09 12:54 AM
In response to gtzakis

Very strange. Did you check NAT-Rules and Anti-Spoofing configuration? Can you please post a censored screenshot of SmartLog?

0 Kudos
gtzakis
Participant
‎2019-10-09 01:12 AM
In response to Benedikt_Weissl

Yes we checked all of them. NATing, antispoof, static routes, anything. We couldn't find anything that's why is so strange.

 

screen.JPG
Preview file
151 KB
0 Kudos
Benedikt_Weissl
Advisor
‎2019-10-09 02:39 AM
In response to gtzakis

Anything strange if you execute "dmesg"? Also check "netstat -s" starting at "Icmp:", you should see something like this

XXXX ICMP messages received
XXX input ICMP message failed.
ICMP input histogram:
destination unreachable: XXXX
timeout in transit: XX
echo requests: XXX
echo replies: XX
XX ICMP messages sent
X ICMP messages failed
ICMP output histogram:
destination unreachable: X
time exceeded: XX
echo request: X
echo replies: XXX.


0 Kudos
gtzakis
Participant
‎2019-10-09 03:40 AM
In response to Benedikt_Weissl

Thank you for your help.

In dmesg we don't see anything weird about the interfaces and the IPs that we see the problem.

Here is the netstat -s output for icmp

Icmp:
4979831 ICMP messages received
36 input ICMP message failed.
ICMP input histogram:
destination unreachable: 28880
echo requests: 4950917
echo replies: 28
984185 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 70178
time exceeded: 27
echo request: 36
echo replies: 913944
IcmpMsg:
InType0: 28
InType3: 28880
InType8: 4950917
OutType0: 913944
OutType3: 70178
OutType8: 36
OutType11: 27

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-10-09 07:44 AM

How are you filtering your tcpdump?  The destination IP of the ping request is being NATted from 10.x.78.1 to 10.x.78.3, is 10.x.78.3 the dedicated IP address of the active firewall?  Is there an echo request coming back sourced from 10.x.78.3?

This sounds a bit like this:

sk26874: Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical i...

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
gtzakis
Participant
‎2019-10-09 09:27 PM
In response to Timothy_Hall

Hello,

 

yes the 10.x.78.3 is the original IP of the gateway interface. And yes indeed, sometimes we see an echo request from the Gateway(10.x.78.3) targeting the servers.

The simultaneously ping was our first thought, this one of the first changes we made to fix the issue but made things even worse for some reason.

Also the tcpdump is filtered like "tcpdump -nni eth2.xx host <server-IP> and icmp".  The filter is alright we see the whole traffic(and replies) if there are any.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top