FW swallows Packets

[baboo]

Hi there

My NGX swallows packets without any logging entries.

Let me explain:

The Client is a serial-to-ethernet-box (Lantronix) that is used to connect some barcode-readers to the net. The Server runs a special application that puts the data from the barcode-readers into SAP.

Server (172.16.90.206) ----- FW ----- Client (172.23.8.248)

The Server connects to the boxes to port 10001 using TCP. Then the boxes
use some tcp-keep-alive-mechanism to prevent that the tcp-session closes.

When I sniffed on each side of the FW I found out, that the FW filters the keep-alive-packets.

I then used fw monitor [..] for further debugging and got this:

Shows where the in the module-chain the fwmonitor-module is.

Code:

out chain (15):
        0: -7f800000 (f8c84df0) (ffffffff) IP Options Strip (ipopt_strip)
        1: - 1ffffff (f9887e80) (00000003) vpn nat outbound (vpn_nat)
        2: - 1fffff0 (f8d729b0) (00000001) TCP streaming (out) (cpas)
        3: - 1ff0000 (f98a8ea0) (00000003) vpn tagging outbound (tagging)
        4: - 1f00000 (f8c85f10) (00000001) Stateless verifications (asm)
        5: -       1 (f8c5f420) (ffffffff) fwmonitor (IP  side)
        6:         0 (f8c30510) (00000001) fw VM outbound (fw)
        7:         1 (f8c8e060) (00000002) wire VM outbound  (wire_vm)
        8:   1ffffff (f8c5f420) (ffffffff) fwmonitor (i/f side)
        9:   2000000 (f988a220) (00000003) vpn policy outbound (vpn_pol)

This shows one of the keep-alive-packets.

Code:

eth7:i1 (vpn decrypt)[41]: 172.23.8.248 -> 172.16.90.206 (TCP) len=41 id=26450
TCP: 10001 -> 3264 ....A. seq=49d9d559 ack=4ce775ea
eth7:I12 (fw SCV inbound)[41]: 172.23.8.248 -> 172.16.90.206 (TCP) len=41 id=26450
TCP: 10001 -> 3264 ....A. seq=49d9d559 ack=4ce775ea
eth6:o5 (fw VM outbound)[41]: 172.23.8.248 -> 172.16.90.206 (TCP) len=41 id=26450
TCP: 10001 -> 3264 ....A. seq=49d9d559 ack=4ce775ea

As you can see, the keep-alive-packet enters the outbound virtual-machine, but get dropped there.

How can i do further investigations, without interrupt the FW (because this is a critical system) ?

Best wishes,
Manuel

[baboo]

Hi folks

It seems that some newer SmartDefense-Patterns fixed this problem.
We did some maintenance between christmas and new year's eve.
We updated the management server from R60 to R62 and updated a cluster which is not in a relation with this problem from R55 to R62. And we updated SmartDefense.
We did not change the cluster that caused this problem! ..but it works now.. for me it must be the the new SmartDefense-Patterns..

What do you guys think?

Can a newer version on the management server cause a firewall to not drop keep-alives anymore ?

hmm... BOFH woud say "CPU needs recalibration".. ;)

Maenu

[northlandboy]

Quote:

Originally Posted by baboo

Can a newer version on the management server cause a firewall to not drop keep-alives anymore ?

Yes, possibly it can. Different inspect code will be compiled and installed on the module afterall.