This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TomShanti
Collaborator
‎2024-03-20 03:32 AM

Packet processing stops after chain module "fw post VM inbound"

Hi all,

 

I have an issue with a connection that should be NATed.

The NAT that should be applied on a connection between 10.1.1.82 and 10.1.1.154 does not work:

 

fw monitor -p all -e "accept(host(10.1.1.154));"

[vs_0][fw_2] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -> 10.1.1.154 (50) len=104 id=5411

 

A working connection shows this as next step:

[vs_0][fw_3] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -> 172.1.1.7 (50) len=152 id=5014
[vs_0][fw_3] bond1.280:I17 (RTM packet in)[44]: 10.1.1.82 -> 84.1.1.93 (50) len=152 id=5014


So it looks like in the first scenario the processing stopped at chain module "fw post VM inbound".

It was working before but since we reapplied multi-queuing config on this cluster it stopped working.


Any idea why ?

 

Thanks Thomas

PS: Running R81.10

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-03-20 07:09 AM

Most likely, you're going to need to enable kernel debugs to see where the traffic goes (and why).
Might need the TAC to help you figure out the correct debug flags to use here (and fix the underlying problem, of course): https://support.checkpoint.com/results/sk/sk98799 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-03-20 08:07 AM

Try running fw ctl zdebug drop while the traffic is not working, this will show you all live drops by any Check Point code along with a reason, even if it is not being logged.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-03-20 09:43 AM

I would definitely do zdebug, to start with. Just to be 100% sure, can you remove multi q config and see if it works again?

Andy

Best,
Andy
0 Kudos
AmirArama
Employee
Employee
‎2024-03-26 11:20 AM

1. it's better to use: fw monitor -p all -F "0,0,10.1.1.154,0,0"

2. i also suggest to use 'fw ctl zdebug + drop" | grep 10.1.1.154

 

Timothy_Hall
MVP Gold
MVP Gold
‎2024-03-26 04:50 PM
In response to AmirArama

@TomShanti if you are going to attempt to run a fw monitor -F and a fw ctl zdebug + drop simultaneously, be aware that you must do so in a particular order to keep the two commands from stepping on each other and causing problematic results.  See here:  Max Capture Update 2: Debug Filter Battle -- fw monitor -F vs. fw ctl zdebug + drop

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events