This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
bsb
Explorer
‎2019-11-17 06:53 AM

Packet leaves firewall, but doesnt reach peer device

Hi, 

Below is the scenario

 

Checkpoint ( 3 subnets) ------ > Symantec decrypter (2 subnets reaches, 3rd subnet doesnt reach).

 

Above devices are connected back to back, initially there are subnet with /27 routed between these two devices, post ip exhaust , one more /27 was added.

traffic reaches from checkpoint to symantec decrytor device, now second subnet is also exhausted.

now we are planning with 3 rd subnet in symantec side.

we could see packet leaving checkpoint exit interface through fwmonitor, but there is no received packets in packet capture of ssl decryptor.

Is there an alternate option to check packet leaving checkpoint other than fwmonitor or tcpdump.

thanks

BSB

0 Kudos
3 Replies
Nick_Doropoulos
Advisor
‎2019-11-17 07:39 AM

Hello,

One other tool for packet captures is CPPCAP as described in sk141412. In addition, you can correlate the captured output with that of the logs.

Can I confirm we are dealing with an IPSec site-to-site VPN here? If not, please elaborate on the topology in question.

Thanks.

 

0 Kudos
Timothy_Hall
Champion
Champion
‎2019-11-17 02:09 PM

Seeing the packet hit capture point O in fw monitor just means it is leaving the Check Point code heading for the egress interface in Gaia.  Use tcpdump with the -e option to see the destination MAC address of the problematic traffic and verify that the packet is actually leaving. If you don't see it leaving, run fw ctl zdebug drop to see why, my guess would be outbound antispoofing enforcement or you've got some kind of problem with inconsistently applied subnet masks for the new subnet.

If it is the same destination MAC as for subnet traffic that is working, it is not a firewall problem.  If the destination MAC is wrong that would explain why it is not showing up at the next hop as the switch will not forward it to that port.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Maarten_Sjouw
Champion
Champion
‎2019-11-18 12:44 AM

When you try to ping an IP from the new range, as it now should be enabled on the Symantec, do you get a reply? If not do you see an arp for any of the IP's in that range, I presume you have a route for the new range pointing to the Symantec?
Regards, Maarten
0 Kudos