log accounting does not work

Matthias_Haas · ‎2019-07-24

Hello all,

we are facing the problem, that after upgrading a Cluster to R80.10, log accounting does not work any more. (worked with R77.30) So

- just the FW blade is used (no App Control etc.)

- accounting is enabled for the rule

- nevertheless, the accounting fields are empty in the log

We have waited quite a while to make sure the fields are filled up.

Case is open, but TAC told us that the App Control blade is necessary for accouting which i don´t think is true

(at least in my lab it works with the fw blade only)

I did not find any usefull SK/information for analysing this problem.

Does anyone had the same situation?

Thanks a lot

Matthias

PhoneBoy · ‎2019-07-25

Is SecureXL enabled and accelerating traffic in this case?

Matthias_Haas · ‎2019-07-31

Hi PhoneBoy,

SecureXL is enabled

GW-1> fwaccel stat
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : disabled by user
NMR Templates : enabled
NMT Templates : enabled

Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, Nac,
ViolationStats, AsychronicNotif, ERDOS,
McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration,
SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

As we are using the FW blade only, (no IPS/AppControl), the traffic should be accelerated.

Here is part of the "fwaccel stats" output:

General
------------------------------------------------------------------------------
memory used 0 free memory 0
C used templates 0 pxl tmpl conns 0
C conns from tmpl 0 C non TCP F2F conns 64
C tcp handshake conn 32 C tcp established co 14205
C tcp closed conns 13251 C tcp f2f handshake 0
C tcp f2f establishe 4 C tcp f2f closed con 2
C tcp pxl handshake 0 C tcp pxl establishe 0
C tcp pxl closed con 0 outbound packets 14822158468
outbound pxl packets 0 outbound f2f packets 244241911
outbound bytes 12718343468915 outbound pxl bytes 0
outbound f2f bytes 5867803094

btw., at the customer (R80.10) and in my lab environment (R80.20) we have the same strange situation:

Accounting is enabled for the rule which allows (admin) traffic to the firewall. After doing a ssh/Web Session to the master and the backup member , the backup member is generating accounting data, the master is not.

In my lab, switching acceleration on/off did not make any difference.

Switching VRRP, so the Backup is becoming the master, did make a difference.

After that, a login to the former master caused him to generate accounting data

(we have not done this at the customer yet)

What i further did:

fwd debug enabled (fw debug fwd on TDERROR_ALL_ALL=5)

If accounting is working, then a lot of "PackLogData" entries are generated in the fwd.elg:

[FWD 10503 3825499024]@FW1-1[18 Jul 14:27:48] CBinObjCommon::PackLogData: packing new field: index: 11 Field Offset: 0x0, (index + Field Offset) % Fields Num: 11, field type: eFtDword

[FWD 10503 3825499024]@FW1-1[18 Jul 14:27:48] CBinObjCommon::PackLogData: Field number:11, Data offset:26, field Value:32

[FWD 10503 3825499024]@FW1-1[18 Jul 14:27:48] CBinObjCommon::PackLogData: fieldName is: client_outbound_bytes

Looks like the accouting fields (here client_outbound_bytes) are updated.

Matthias

PhoneBoy · ‎2019-08-02

Sounds like a TAC case is in order for this one.

Matthias_Haas · ‎2019-08-14

it´s a bug. Fix available. See sk159432 for further details.