This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-10-11 11:21 AM

P2P Communication Intermittence

Hello,

We have a current IP-A-IP communication, which travels over a dedicated link (MPLS).
Since a few weeks, we have this communication very slow and unstable.

What the source wants to consume is a service on port 80, but what I see in the logs, is that there is a traffic that at times is allowed, and at times not.

When it is allowed, the traffic matches with its firewall rule and its NO-NAT rule (since they don't want to kick the origin), but then the traffic starts to match with a rule that is not visible in the SmartConsole, and simply "throws away" the connections (the only known message is that a DROP is done).

Is there any way to detect the reason for this behavior?

I publish a reference image.

ClusterXL HA -> Version R81.10 -> Take 81

IN1.png

Cheers 🙂

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-10-11 11:30 AM

Thats always tough bro, specially when its intermittent. MTU came to mind when I read the problem, but not so sure that might be the case here. Can you expand the drop log and send it as a screenshot, so we can see all the details? Does zdebug show anything when it fails?

Andy

0 Kudos
Matlu
Advisor
‎2023-10-11 11:36 AM
In response to the_rock

Hey,

I'm sharing a notepad, with a log (Accept) and a log in (Drop), so it can be more understandable.

I'm not sure if these logs in DROPS should be ignored or not, or relate directly to the problem, since the problem is that the source has a "SLOW" problem when it wants to consume a resource from the destination.

TCPDROPS.txt
Preview file
1 KB
0 Kudos
the_rock
Legend
Legend
‎2023-10-11 11:49 AM
In response to Matlu

First packet isnt syn has been an error thats been around since probably the beginning of stateful firewalls. All that says, in layman's terms, is that connection is not completing to the point of 3-way handshake (syn -> syn-ack->ack)

You should do regular fw monitor and fw monitor -F flag to see what happens.

Andy

0 Kudos
Matlu
Advisor
‎2023-10-11 12:25 PM
In response to the_rock

Do you have the syntax of the command that I could apply in my scenario, in order to check the flow of this communication, please?

0 Kudos
the_rock
Legend
Legend
‎2023-10-11 12:45 PM
In response to Matlu

If you give src and dst, I can provide it.

Andy

0 Kudos
Matlu
Advisor
‎2023-10-11 01:20 PM
In response to the_rock

The origin and destination, are those shown in the initial image of this publication 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-10-11 01:29 PM
In response to Matlu

I attached simple file I sent to customer once for things to check based on different issues, example is there.

Andy

CP_troubleshooting.txt
Preview file
6 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top