Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bsb
Explorer

Packet leaves firewall, but doesnt reach peer device

Hi, 

Below is the scenario

 

Checkpoint ( 3 subnets) ------ > Symantec decrypter (2 subnets reaches, 3rd subnet doesnt reach).

 

Above devices are connected back to back, initially there are subnet with /27 routed between these two devices, post ip exhaust , one more /27 was added.

traffic reaches from checkpoint to symantec decrytor device, now second subnet is also exhausted.

now we are planning with 3 rd subnet in symantec side.

we could see packet leaving checkpoint exit interface through fwmonitor, but there is no received packets in packet capture of ssl decryptor.

Is there an alternate option to check packet leaving checkpoint other than fwmonitor or tcpdump.

thanks

BSB

0 Kudos
3 Replies
Nick_Doropoulos
Advisor

Hello,

One other tool for packet captures is CPPCAP as described in sk141412. In addition, you can correlate the captured output with that of the logs.

Can I confirm we are dealing with an IPSec site-to-site VPN here? If not, please elaborate on the topology in question.

Thanks.

 

0 Kudos
Timothy_Hall
Champion
Champion

Seeing the packet hit capture point O in fw monitor just means it is leaving the Check Point code heading for the egress interface in Gaia.  Use tcpdump with the -e option to see the destination MAC address of the problematic traffic and verify that the packet is actually leaving. If you don't see it leaving, run fw ctl zdebug drop to see why, my guess would be outbound antispoofing enforcement or you've got some kind of problem with inconsistently applied subnet masks for the new subnet.

If it is the same destination MAC as for subnet traffic that is working, it is not a firewall problem.  If the destination MAC is wrong that would explain why it is not showing up at the next hop as the switch will not forward it to that port.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Maarten_Sjouw
Champion
Champion

When you try to ping an IP from the new range, as it now should be enabled on the Symantec, do you get a reply? If not do you see an arp for any of the IP's in that range, I presume you have a route for the new range pointing to the Symantec?
Regards, Maarten
0 Kudos