Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Logesh8
Participant

ICMP not leaving the firewall

Jump to solution

Hello,

When I did a troubleshooting, I saw the weird response.  Assume,  Network device D1 is connected to CP firewall Interface eth1 and Network device D2 is connected to eth2 Interface.  When Ping initiated from D1 to D2, I see packet entering eth1 and leaving eth2 and  when got the response back, I see the response on eth2 but its not reached eth1. It observed via both FW monitor and TCPDUMP.  Unfortunately, I am not seeing any drop by issuing command debug drop command. 

Please suggest if you came across any.

Thank you in advance.  

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Leader
Leader

That means a routing problem. On the firewall, run 'ip route get <address>' for the destination of the reply (the client which sent the initial packet). Does it tell you traffic would go out the interface you expect?

View solution in original post

13 Replies
Bob_Zimmerman
Leader
Leader

What does the fw monitor show? i with no I? i-I with no o? i-I-o with no O? Something else?

Logesh8
Participant

Hi,

I see the ICMP reply back on eth2 with "i" and "I" but I did not see "o" and "O".

Thank you

0 Kudos
AndréTinoco
Contributor

Hey!

There can be an issue with IP Forwarding on the interface. Can you paste the output of this command:

sysctl -a | grep forward | grep -v "mc_forwarding" | grep "= 0"

 

Regards,

André Tinoco

0 Kudos
Logesh8
Participant

HI Andre,

Thank you and sure.

0 Kudos
Logesh8
Participant

Hi, PFO,

net.bridge.lacp_forwarding = 0
net.ipv4.ip_forward_use_pmtu = 0

0 Kudos
Bob_Zimmerman
Leader
Leader

That means a routing problem. On the firewall, run 'ip route get <address>' for the destination of the reply (the client which sent the initial packet). Does it tell you traffic would go out the interface you expect?

AndréTinoco
Contributor

It might be routing problem, but for what Logesh8 wrote, the devices are directly connected to the interfaces. Should not have routing issue there.

@Logesh8 Can you elaborate on the topology? If there is routing involved, and the device is not directly connected, then Bob is probably right and you are missing the return route for that traffic. 

0 Kudos
Logesh8
Participant

@AndréTinoco , Sure I will provide you more information about topology soon.

0 Kudos
Logesh8
Participant

@Bob_Zimmerman , I have scheduled  a troubleshooting call on Monday. I will give you more information.

0 Kudos
Markus_Genser
Contributor

Hey just my two cents as you say both devices are directly connected and I assume firewall policy and anti-spoofing have been checked, did you check the subnet masks on both ports?

Not that the firewall isn't forwarding the traffic as it's assuming the subnet range belongs to eth2.

 

BR,

Markus

0 Kudos
Logesh8
Participant

Hi,

Yes checked.. When we run tcpdump for physical interface of the switch and router. Output is perfect but not the same when we run tcpdump for loopback IPs of switch and router.

0 Kudos
Logesh8
Participant

Hi, IP route get shows the correct Interface details.

0 Kudos
the_rock
Champion
Champion

Agree with @Bob_Zimmerman 

0 Kudos