logs not generating on one gateway

[nazim]

Hi Everyone ,

I have a query I am not able to generate logs on one of my gateway firewall in smart center , where as others I am able to generate .
If any one has faced this kind of problem , do let me know the solution.

[Joncon]

Nazim,

what is your configuration centralised or distributed? If distributed ensure you have configured the logs and masters settings for the GW correctly on the object.

[nazim]

Hi Jon,

I have a centralised architecture ...

[northlandboy]

Is the module logging locally instead? Is $FWDIR/log/fw.log on the module growing?

Is tcp/257 connectivity from the module through to the management all working OK? Can you test it?

Are you doing any NAT of the mgmt server?

Sometimes firewalls will stop logging when the mgmt server is down, then fail to resume logging when it comes back up again. If that might be the case, try defining a dummy log server object, configure the module to use that for logging, push policy, then change it back to the correct settings and push policy again.

[nazim]

Hi,
can u tell me how to check tcp/257 connectivity betn module and mgmt server?

Quote:

Originally Posted by northlandboy

Is the module logging locally instead? Is $FWDIR/log/fw.log on the module growing?

Is tcp/257 connectivity from the module through to the management all working OK? Can you test it?

Are you doing any NAT of the mgmt server?

Sometimes firewalls will stop logging when the mgmt server is down, then fail to resume logging when it comes back up again. If that might be the case, try defining a dummy log server object, configure the module to use that for logging, push policy, then change it back to the correct settings and push policy again.

[northlandboy]

Exactly the same way you check any TCP connectivity.

Log on to the source node, in this case the gateway. telnet <mgmt IP> 257
If that connects, then connectivity is OK. If it doesn't, then you've got either a firewalling or routing issue, and will need to debug this the same as you would any other connectivity issue.

[nazim]

Hi ,

I am on the gateway and it says no such command found - telnet .
Its a secure platform

[northlandboy]

ah yes, telnet is not included by default on SPLAT. No nc either. Very silly. You can always install it.

Try looking on the wire with fw monitor or tcpdump, see if there is any traffic being generated.

Have you looked at/tried any of the other things suggested?

[nazim]

Yes I tried other things as you said ..

Also I have not Natted on the management server ....but when i run fwunload local command its shows the log for some time and then again it
disappears ..

also the port 257 is not blocked on my link router ..

[northlandboy]

So what were the results of the other tests?

Is $FWDIR/log/fw.log growing?

Do you see traffic between mgmt and gateway?

[nazim]

I cant figure out whether the log file is growing or not..??
but how do i make out tht its growing ...

As the logs are not shown on management server i doubt ..whether its bein growing on local gateway..//

[northlandboy]

Well, the method I normally do is this:
cd $FWDIR/log
ls -l fw.log

wait a few minutes

ls -l fw.log

Has the file gotten any bigger?

Normally it logs only to the management server. In the event it cannot connect to the management server, it will log locally instead. So if you are not receiving logs on the management server, it is perfectly logical that you would see the file growing on the gateway. Conversely, if you were receiving logs on the management server, then it would not be growing on the module.

[nazim]

Yes , YOu are rite I can see the logs growing on the module by doing ls -l fw.log . Tht means it is not communicating with Management server .

But I dont find any reason as why it is not communcating , else everything is working , I am able to push the policy as well ..

Do help me out





cd $FWDIR/log
ls -l fw.log

wait a few minutes

ls -l fw.log

Has the file gotten any bigger?

Normally it logs only to the management server. In the event it cannot connect to the management server, it will log locally instead. So if you are not receiving logs on the management server, it is perfectly logical that you would see the file growing on the gateway. Conversely, if you were receiving logs on the management server, then it would not be growing on the module.[/quote]

[northlandboy]

Did this stop working around the time you made a change of any sort either on that firewall, or any network device between the mgmt and the gateway?

Have you tried the last suggestion in the first reply I made (dummy log server object)? I'm trying to help, but it would make life easier if you went through and tried ALL suggestions, not just one, AND told us the results of those tests.

How about looking at the traffic on the wire, to see if there is any tcp/257 traffic at all?

How about putting a telnet binary on the SPLAT box, and testing tcp/257 connectivity?

You're not making things any easier by giving us limited information, and by not trying out suggested things (or at least not reported results). Remember that all we have to go on is the information you provide here. We don't know your network, or any other steps that you may have been through, unless you tell us.

[nazim]

HI .. see on the gateway when i do cpstop and cpstart the logs started generating on the management server , but later on it gave me an

error on gateway : tcp connectivity failure port 18191 error 10 ' .
then the logs stop generating again .

also I cannot have a dummy log server due to management issues in my organisation .

I saw traffic usin tcpdump and fwmonitor but I am not able to see any communication betwn gateway and server using tcp/257 .

I hope the error cud give u some reasoning as to wht is wrong .


I cant install anything as of now due to audits goin on.







Have you tried the last suggestion in the first reply I made (dummy log server object)? I'm trying to help, but it would make life easier if you went through and tried ALL suggestions, not just one, AND told us the results of those tests.

How about looking at the traffic on the wire, to see if there is any tcp/257 traffic at all?

How about putting a telnet binary on the SPLAT box, and testing tcp/257 connectivity?

You're not making things any easier by giving us limited information, and by not trying out suggested things (or at least not reported results). Remember that all we have to go on is the information you provide here. We don't know your network, or any other steps that you may have been through, unless you tell us.[/quote]

[thebuffman]

I am having this same issue with one of the members of my cluster, the master. It is no longer logging to the management server. The 2nd/backup enforcement module is logging just fine.

tcpdump information looks good:
10:28:02.013255 O 10.0.6.253.1664 > 10.0.6.251.257: . ack 51002942 win 16384
10:28:02.013614 O 10.0.6.253.1664 > 10.0.6.251.257: P 0:4(4) ack 1 win 16384
10:28:02.013911 O 10.0.6.253.1664 > 10.0.6.251.257: P 4:8(4) ack 1 win 16384
10:28:02.048055 O 10.0.6.253.1664 > 10.0.6.251.257: P 8:43(35) ack 5 win 16384
10:28:02.111549 O 10.0.6.253.1664 > 10.0.6.251.257: . ack 37 win 16384
10:28:02.125308 O 10.0.6.253.1664 > 10.0.6.251.257: P 43:53(10) ack 51 win 16384
10:28:02.158304 O 10.0.6.253.1664 > 10.0.6.251.257: P 53:168(115) ack 51 win 16384
10:28:02.161214 O 10.0.6.253.1664 > 10.0.6.251.257: P 168:254(86) ack 90 win 16384
10:28:02.162233 O 10.0.6.253.1664 > 10.0.6.251.257: P 254:305(51) ack 220 win 16384
10:28:02.198183 O 10.0.6.253.1664 > 10.0.6.251.257: P 305:526(221) ack 220 win 16384
10:28:02.200192 O 10.0.6.253.1664 > 10.0.6.251.257: P 526:619(93) ack 313 win 16384
10:28:02.200803 O 10.0.6.253.1664 > 10.0.6.251.257: . ack 343 win 16355
10:28:02.201442 O 10.0.6.253.1664 > 10.0.6.251.257: F 619:619(0) ack 343 win 16384

Nokia support has been assisting but nothing is working. I've created a temporary logging object and made it the sole log server for the Master, pushed policy, removed the object, validated that the management server was once again the log server, pushed policy. Still logging locally. I don't want to perform cpstop if I don't have too because this is the most important site within our company and people go crazy about connections being down. I am also concerned because the sync link between the cluster members shows one up and the other down as opposed to both being up. So connectivity will definitely be reset should I bounce this thing.

Any ideas?

[dantro]

Hi,

is your SmartCenter Server translated to an external address via StaticNAT? Where is your firewall gateway located at?

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[thebuffman]

Quote:

Originally Posted by dantro

Hi,

is your SmartCenter Server translated to an external address via StaticNAT? Where is your firewall gateway located at?

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

The SmartCenter Server is located in the server room with the cluster. They are on the same 10.0.6.x subnet. I've tried everything too. I can't seem to jar the Master into sending logs back to the management server. Looks like I will have to reboot this thing and because the cluster sync connection is down, the connections fail-over will fail.

*sheeesh*

[thebuffman]

Rebooting fixed the issue. I guess the TCP stack had to be rebuilt.