Solved: Re: ICMP not leaving the firewall

Logesh8 · ‎2022-08-16

Hello,

When I did a troubleshooting, I saw the weird response. Assume, Network device D1 is connected to CP firewall Interface eth1 and Network device D2 is connected to eth2 Interface. When Ping initiated from D1 to D2, I see packet entering eth1 and leaving eth2 and when got the response back, I see the response on eth2 but its not reached eth1. It observed via both FW monitor and TCPDUMP. Unfortunately, I am not seeing any drop by issuing command debug drop command.

Please suggest if you came across any.

Thank you in advance.

Bob_Zimmerman · ‎2022-08-18

That means a routing problem. On the firewall, run 'ip route get <address>' for the destination of the reply (the client which sent the initial packet). Does it tell you traffic would go out the interface you expect?

View solution in original post

Bob_Zimmerman · ‎2022-08-16

What does the fw monitor show? i with no I? i-I with no o? i-I-o with no O? Something else?

Logesh8 · ‎2022-08-17

Hi,

I see the ICMP reply back on eth2 with "i" and "I" but I did not see "o" and "O".

Thank you

AndréTinoco · ‎2022-08-17

Hey!

There can be an issue with IP Forwarding on the interface. Can you paste the output of this command:

sysctl -a | grep forward | grep -v "mc_forwarding" | grep "= 0"

Regards,

André Tinoco

Logesh8 · ‎2022-08-17

HI Andre,

Thank you and sure.

Logesh8 · ‎2022-08-22

Hi, PFO,

net.bridge.lacp_forwarding = 0
net.ipv4.ip_forward_use_pmtu = 0

Bob_Zimmerman · ‎2022-08-18

That means a routing problem. On the firewall, run 'ip route get <address>' for the destination of the reply (the client which sent the initial packet). Does it tell you traffic would go out the interface you expect?

AndréTinoco · ‎2022-08-19

It might be routing problem, but for what Logesh8 wrote, the devices are directly connected to the interfaces. Should not have routing issue there.

@Logesh8 Can you elaborate on the topology? If there is routing involved, and the device is not directly connected, then Bob is probably right and you are missing the return route for that traffic.

Logesh8 · ‎2022-08-19

@AndréTinoco , Sure I will provide you more information about topology soon.

Logesh8 · ‎2022-08-19

@Bob_Zimmerman , I have scheduled a troubleshooting call on Monday. I will give you more information.

Markus_Genser · ‎2022-08-19

Hey just my two cents as you say both devices are directly connected and I assume firewall policy and anti-spoofing have been checked, did you check the subnet masks on both ports?

Not that the firewall isn't forwarding the traffic as it's assuming the subnet range belongs to eth2.

BR,

Markus

Logesh8 · ‎2022-08-22

Hi,

Yes checked.. When we run tcpdump for physical interface of the switch and router. Output is perfect but not the same when we run tcpdump for loopback IPs of switch and router.

Logesh8 · ‎2022-08-22

Hi, IP route get shows the correct Interface details.

the_rock · ‎2022-08-18

Agree with @Bob_Zimmerman

Are you a member of CheckMates?

ICMP not leaving the firewall