Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
alliki
Explorer

Packets get drop

Hi all, 

After running fw ctl zdebug + drop I am getting something like this: 

[cpu_1];[fw4_0];cphwd_notif_packet_dropped: recieved packet dropped notification, reason: Monitored Spoofed;
[cpu_1];[fw4_0];cphwd_notif_packet_dropped: notification holds a single drop;
;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=6 ip -> ip:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
[cpu_1];[SIM-205643047];sim_pkt_send_drop_notification: (0,0) received drop, reason: Monitored Spoofed, conn: <.............>;
[cpu_1];[SIM-205643047];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <...................>;
[cpu_1];[SIM-205643047];sim_pkt_send_drop_notification: sending single drop notification, conn: <......>;
cpu_1];[fw4_0];cphwd_notif_packet_dropped: recieved packet dropped notification, reason: Monitored Spoofed;
[cpu_1];[fw4_0];cphwd_notif_packet_dropped: notification holds a single drop;

 

Any idea how to fix this or what caused the problem? 

0 Kudos
1 Reply
the_rock
Legend
Legend

Ok, lets start with basics...what is the exact issue and when did it happen? Did related traffic work for a long time before this? Lets assume affected IP addresses are 1.1.1.1 and 2.2.2.2...you can try something like below and see what you get. Usually, first packet isnt syn means something related to assymetric routing and connection not completing properly.

fw monitor -e "accept host(1.1.1.1) and host(2.2.2.2);"

fw monitor -e "accept host(1.1.1.1) or host(2.2.2.2);"

fw monitor -F '1.1.1.1,0,2.2.2.2,0,0' -F '2.2.2.2,0,1.1.1.1,0,0'  -> this is the idea...source IP, port, dst IP, port, protocol

fw ctl zdebug + drop | grep 1.1.1.1 | grep 2.2.2.2

Let us know if you can do those and send it over or if any info is private, just blur it out.

Cheers,

Andy

0 Kudos