PDA

View Full Version : VPN - Edge fw ctl chain failure



menz456
2008-03-20, 08:12
We have a site to site vpn between a checkpoint 380 and an Edge x16 device. The vpn works fine but remote mgmt to the edge device fails. Here is the output to the fw monitor:
monitor: monitoring (control-C to stop)
eth4c0:i0 (IP Options Strip)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i1 (vpn decrypt)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i2 (Stateless verifications)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i3 (vpn tagging inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i4 (vpn decrypt verify)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i5 (SecureXL conn sync)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i6 (fw VM inbound )[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I7 (wire VM inbound )[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I8 (vpn policy inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I9 (SecureXL inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I10 (fw SCV inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I11 (TCP streaming (in))[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I12 (IP Options Restore)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I13 (HA Forwarding)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I14 (Chain End)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o0 (IP Options Strip)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o1 (vpn nat outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o2 (TCP streaming (out))[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o3 (vpn tagging outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o4 (Stateless verifications)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o5 (fw VM outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O6 (wire VM outbound )[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O7 (vpn policy outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O8 (SecureXL outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O9 (vpn encrypt)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3229TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
FAIL AFTER VPN ENCRYPT BEFORE TCP STREAMING POST VM eth4c0:i0 (IP Options Strip)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i1 (vpn decrypt)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i2 (Stateless verifications)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i3 (vpn tagging inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i4 (vpn decrypt verify)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i5 (SecureXL conn sync)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:i6 (fw VM inbound )[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I7 (wire VM inbound )[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I8 (vpn policy inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I9 (SecureXL inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I10 (fw SCV inbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I11 (TCP streaming (in))[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I12 (IP Options Restore)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I13 (HA Forwarding)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth4c0:I14 (Chain End)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o0 (IP Options Strip)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o1 (vpn nat outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o2 (TCP streaming (out))[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o3 (vpn tagging outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o4 (Stateless verifications)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:o5 (fw VM outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O6 (wire VM outbound )[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O7 (vpn policy outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O8 (SecureXL outbound)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
eth2c0:O9 (vpn encrypt)[52]: 192.168.123.234 -> 10.196.179.254 (TCP) len=52 id=3248TCP: 3811 -> 981 .S.... seq=2c212e12 ack=00000000
^C monitor: caught sig 2

Yout can see that the failure is after the vpn decrypt. Has anyone got any ideas?

Sam

menz456
2008-06-09, 05:09
In the end the issue was that we had enabled nat'ing on all nodes instead of just on our cluster node. It turned out that when the traffic was passing through our remote node this was source nat'ing the traffic so it never returned. Once we removed all nodes it was fine.
sam