Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Norbert_Papirny
Participant
Jump to solution

fw monitor output

Hi All,

I need some help with fw monitor output.  (R80.20 gaia T47)

Our GRE/SIP  communication doesn't work, and as you can see below, the last captured packet was stopped in pre-outbound (o4) chain position. It is the tunnel-inside traffic.

We have bidirectional rules between peers without NAT.

CP.PNG

Could you please somebody explain what caused this behavior? 

Here is also the relevant wireshark capture:

cp2.PNG

There are many articles/ cheat sheets ,etc. about how fw monitor is working, but i cant find any information about the output interpretation...  

 

in chain (14):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8a32c9b0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8a32c4d0) (00000001) fw multik misc proto forwarding
5: - 1fffff5 (ffffffff8a3e2ec0) (00000001) fw early SIP NAT (sipnat)
6: 0 (ffffffff8a48cc10) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8a32efd0) (00000001) fw SCV inbound (scv)
8: 5 (ffffffff8a21a4d0) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8a47eca0) (00000001) fw post VM inbound (post_vm)
10: 7f730000 (ffffffff89ffc520) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff89c8c7d0) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (in) (ipopt_res)
13: 7fb00000 (ffffffff89628750) (00000001) Cluster Late Correction (ha_for)
out chain (11):
0: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff89c76dd0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff89ffc520) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8a32c9b0) (00000001) Stateless verifications (out) (asm)
4: 0 (ffffffff8a48cc10) (00000001) fw VM outbound (fw)
5: 10 (ffffffff8a47eca0) (00000001) fw post VM outbound (post_vm)
6: 18000000 (ffffffff89f28210) (00000001) fw record data outbound
7: 7f700000 (ffffffff89c8b2f0) (00000001) TCP streaming post VM (cpas)
8: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (out) (ipopt_res)
9: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
10: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)

**********

 

outside traffic:

[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I14 (Chain End)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

 

*********************outside traffic was stopped in 04 position

 

inside traffic:

[vs_0][fw_2] bond1.509:i2 (IP Options Strip (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i3 (Stateless verifications (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i4 (fw multik misc proto forwarding)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i5 (fw early SIP NAT)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i6 (fw VM inbound )[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I14 (Chain End)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

 

Many thanks,

Norbert

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
This is where you need to break out the debug commands to find out why it dropped.
You can start with fw ctl zdebug drop | grep 10.42.14.60.
A little bit more about fw ctl zdebug, which should generally be used with care: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/quot-fw-ctl-zdebug-quot-Helpful-C...

View solution in original post

1 Reply
PhoneBoy
Admin
Admin
This is where you need to break out the debug commands to find out why it dropped.
You can start with fw ctl zdebug drop | grep 10.42.14.60.
A little bit more about fw ctl zdebug, which should generally be used with care: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/quot-fw-ctl-zdebug-quot-Helpful-C...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events