Hi there
My NGX swallows packets without any logging entries.
Let me explain:
The Client is a serial-to-ethernet-box (Lantronix) that is used to connect some barcode-readers to the net. The Server runs a special application that puts the data from the barcode-readers into SAP.
Server (172.16.90.206) ----- FW ----- Client (172.23.8.248)
The Server connects to the boxes to port 10001 using TCP. Then the boxes
use some tcp-keep-alive-mechanism to prevent that the tcp-session closes.
When I sniffed on each side of the FW I found out, that the FW filters the keep-alive-packets.
I then used fw monitor [..] for further debugging and got this:
Shows where the in the module-chain the fwmonitor-module is.
Code:
out chain (15):
0: -7f800000 (f8c84df0) (ffffffff) IP Options Strip (ipopt_strip)
1: - 1ffffff (f9887e80) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (f8d729b0) (00000001) TCP streaming (out) (cpas)
3: - 1ff0000 (f98a8ea0) (00000003) vpn tagging outbound (tagging)
4: - 1f00000 (f8c85f10) (00000001) Stateless verifications (asm)
5: - 1 (f8c5f420) (ffffffff) fwmonitor (IP side)
6: 0 (f8c30510) (00000001) fw VM outbound (fw)
7: 1 (f8c8e060) (00000002) wire VM outbound (wire_vm)
8: 1ffffff (f8c5f420) (ffffffff) fwmonitor (i/f side)
9: 2000000 (f988a220) (00000003) vpn policy outbound (vpn_pol) This shows one of the keep-alive-packets.
Code:
eth7:i1 (vpn decrypt)[41]: 172.23.8.248 -> 172.16.90.206 (TCP) len=41 id=26450
TCP: 10001 -> 3264 ....A. seq=49d9d559 ack=4ce775ea
eth7:I12 (fw SCV inbound)[41]: 172.23.8.248 -> 172.16.90.206 (TCP) len=41 id=26450
TCP: 10001 -> 3264 ....A. seq=49d9d559 ack=4ce775ea
eth6:o5 (fw VM outbound)[41]: 172.23.8.248 -> 172.16.90.206 (TCP) len=41 id=26450
TCP: 10001 -> 3264 ....A. seq=49d9d559 ack=4ce775ea
As you can see, the keep-alive-packet enters the outbound virtual-machine, but get dropped there.
How can i do further investigations, without interrupt the FW (because this is a critical system) ?
Best wishes,
Manuel