This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fernando_Pizzam
Participant
‎2019-05-08 03:10 AM
Jump to solution

ICMP generated by CP itself does not leave the Firewall

Hi guys, this is my first post here.

I've a strange situation, it's not something impacting for my customer but I'd like to go deeply into this and try to understand what's going on.

I'm trying to ping a device connected behind a VPN installed in another firewall using as source one interface physically connected to the 1st firewall. 

The destination is known;

[Expert@FW1]# ip route get 10.20.20.2
10.20.20.2 via 10.39.39.3 dev eth3.439 src 10.39.39.252
cache mtu 1500 advmss 1460 hoplimit 64

The source is this one:

[Expert@FW1]# ip route get 172.28.10.0
broadcast 172.28.10.0 dev eth3.412 src 172.28.10.2
cache <local,brd> mtu 1500 advmss 1460 hoplimit 64

ping -I eth3.412 10.20.20.2

PING 10.20.20.2 (10.20.20.2) from 172.28.10.2 eth3.412: 56(84) bytes of data.
From 172.28.10.2 icmp_seq=2 Destination Host Unreachable
From 172.28.10.2 icmp_seq=3 Destination Host Unreachable
From 172.28.10.2 icmp_seq=4 Destination Host Unreachable

--- 10.20.20.2 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms

The interesting part is that a tcpdump shows only this:

[Expert@SFW1]# tcpdump -nni any host 10.20.20.2
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
11:39:17.295162 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:17.295164 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:18.295084 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:18.295086 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:19.295006 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:19.295008 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:21.294846 arp who-has 10.20.20.2 tell 172.28.10.2
11:39:21.294848 arp who-has 10.20.20.2 tell 172.28.10.2

In the logs traffic is accepted and with the fw ctl zdebug drop there is no evdience of any dropped packet.

Below a fwmonitor

[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=93
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=93
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=94
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=94
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=95
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=95
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=96
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=96
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=97
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=97
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=98
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=98
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=99
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=99
[vs_0][fw_1] eth3.412:o[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=100
[vs_0][fw_1] eth3.412:O[84]: 172.28.10.2 -> 10.20.20.2 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=4973 seq=100

Traffic doesn't live the generating interface.

Someone can help me?

 

Thanks in advance gurus 

 

 

0 Kudos
1 Solution

Accepted Solutions
Benedikt_Weissl
Advisor
‎2019-05-09 12:14 AM
Jump to solution

Is ping -I [ip of eth3.412] 10.20.20.2 working? Are all networks in the encryption domain? Could you provide a sketch of the setup please?

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-05-08 05:31 PM
Jump to solution

You might try fw monitor with -p all to see what chain the packet makes it to and compare with fw ctl chain.
0 Kudos
Fernando_Pizzam
Participant
‎2019-05-09 12:18 AM
In response to PhoneBoy
Jump to solution

Hi,

 

chain ends:

out chain (18):
0: -7f800000 (ffffffff887fff30) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (ffffffff88fd3ac0) (00000003) vpn multik forward out
2: - 1ffffff (ffffffff88fa03a0) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (ffffffff88c363c0) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (ffffffff88a16ad0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (ffffffff88fe3950) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (ffffffff88801780) (00000001) Stateless verifications (out) (asm)
7: 0 (ffffffff8879cac0) (00000001) fw VM outbound (fw)
8: 2000000 (ffffffff88fa0770) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (ffffffff888e1d20) (00000003) SecureXL outbound (secxl)
10: 15000000 (ffffffff8d3d3b60) (00000001) FG-1 outbound (fg_pol)
11: 18000000 (ffffffff88996100) (00000001) fw record data outbound
12: 1ffffff0 (ffffffff88fc2590) (00000001) l2tp outbound (l2tp)
13: 20000000 (ffffffff88fa1010) (00000003) vpn encrypt (vpn)
14: 24000000 (ffffffff8d2bf960) (00000001) RTM packet out (rtm)
15: 7f000000 (ffffffff887b2790) (00000001) fw accounting outbound (acct)
16: 7f700000 (ffffffff88c365b0) (00000001) TCP streaming post VM (cpas)
17: 7f800000 (ffffffff888002f0) (ffffffff) IP Options Restore (out) (ipopt_res)
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth3.412:o0 (IP Options Strip (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o1 (vpn multik forward out)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o2 (vpn nat outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o3 (TCP streaming (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o4 (passive streaming (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o5 (vpn tagging outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o6 (Stateless verifications (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o7 (fw VM outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O8 (vpn policy outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O9 (SecureXL outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O10 (FG-1 outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O11 (fw record data outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O12 (l2tp outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O13 (vpn encrypt)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O14 (RTM packet out)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O15 (fw accounting outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O16 (TCP streaming post VM)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O17 (IP Options Restore (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O18 (Chain End)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1

0 Kudos
Fernando_Pizzam
Participant
‎2019-05-09 12:27 AM
In response to PhoneBoy
Jump to solution

Chain ends:

monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth3.412:o0 (IP Options Strip (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o1 (vpn multik forward out)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o2 (vpn nat outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o3 (TCP streaming (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o4 (passive streaming (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o5 (vpn tagging outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o6 (Stateless verifications (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:o7 (fw VM outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O8 (vpn policy outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O9 (SecureXL outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O10 (FG-1 outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O11 (fw record data outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O12 (l2tp outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O13 (vpn encrypt)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O14 (RTM packet out)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O15 (fw accounting outbound)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O16 (TCP streaming post VM)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O17 (IP Options Restore (out))[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1
[vs_0][fw_1] eth3.412:O18 (Chain End)[84]: 172.28.10.2 -> 10.20.20.1 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=12660 seq=1

0 Kudos
Benedikt_Weissl
Advisor
‎2019-05-09 12:14 AM
Jump to solution

Is ping -I [ip of eth3.412] 10.20.20.2 working? Are all networks in the encryption domain? Could you provide a sketch of the setup please?

0 Kudos
Fernando_Pizzam
Participant
‎2019-05-09 12:23 AM
In response to Benedikt_Weissl
Jump to solution

The VPNs are built under the other firewall so for this firewall is normal traffic. anyway, using the IP as source instead of eth it's working.

Is this normal?

[Expert@FW1]# ping -I 172.28.10.2 10.20.20.1

[Expert@FW1]# tcpdump -nni eth3.439 host 10.20.20.1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3.439, link-type EN10MB (Ethernet), capture size 96 bytes
09:20:28.957779 IP 172.28.10.2 > 10.20.20.1: ICMP echo request, id 65046, seq 47, length 64
09:20:29.957711 IP 172.28.10.2 > 10.20.20.1: ICMP echo request, id 65046, seq 48, length 64
09:20:30.957639 IP 172.28.10.2 > 10.20.20.1: ICMP echo request, id 65046, seq 49, length 64

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events