This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TomShanti
Collaborator
‎2024-03-20 03:32 AM

Packet processing stops after chain module "fw post VM inbound"

Hi all,

 

I have an issue with a connection that should be NATed.

The NAT that should be applied on a connection between 10.1.1.82 and 10.1.1.154 does not work:

 

fw monitor -p all -e "accept(host(10.1.1.154));"

[vs_0][fw_2] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -> 10.1.1.154 (50) len=104 id=5411

 

A working connection shows this as next step:

[vs_0][fw_3] bond1.280:I16 (fw post VM inbound )[44]: 10.1.1.82 -> 172.1.1.7 (50) len=152 id=5014
[vs_0][fw_3] bond1.280:I17 (RTM packet in)[44]: 10.1.1.82 -> 84.1.1.93 (50) len=152 id=5014


So it looks like in the first scenario the processing stopped at chain module "fw post VM inbound".

It was working before but since we reapplied multi-queuing config on this cluster it stopped working.


Any idea why ?

 

Thanks Thomas

PS: Running R81.10

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-03-20 07:09 AM

Most likely, you're going to need to enable kernel debugs to see where the traffic goes (and why).
Might need the TAC to help you figure out the correct debug flags to use here (and fix the underlying problem, of course): https://support.checkpoint.com/results/sk/sk98799 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-03-20 08:07 AM

Try running fw ctl zdebug drop while the traffic is not working, this will show you all live drops by any Check Point code along with a reason, even if it is not being logged.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
the_rock
Legend
Legend
‎2024-03-20 09:43 AM

I would definitely do zdebug, to start with. Just to be 100% sure, can you remove multi q config and see if it works again?

Andy

0 Kudos
AmirArama
Employee
Employee
‎2024-03-26 11:20 AM

1. it's better to use: fw monitor -p all -F "0,0,10.1.1.154,0,0"

2. i also suggest to use 'fw ctl zdebug + drop" | grep 10.1.1.154

 

Timothy_Hall
Legend Legend
Legend
‎2024-03-26 04:50 PM
In response to AmirArama

@TomShanti if you are going to attempt to run a fw monitor -F and a fw ctl zdebug + drop simultaneously, be aware that you must do so in a particular order to keep the two commands from stepping on each other and causing problematic results.  See here:  Max Capture Update 2: Debug Filter Battle -- fw monitor -F vs. fw ctl zdebug + drop

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top