CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: One side of one interface never appears in FW Monitor

  1. #1
    Join Date
    2011-03-28
    Posts
    6
    Rep Power
    0

    Default One side of one interface never appears in FW Monitor

    We've been trying to diagnose a problem with massive retransmits and duplicate ACKs going through the firewall from several different locations which is bogging our 12600 cluster down. Everything in the problem smells like a routing loop, but we can't find one. Today I did find something very strange, though. With a source OR destination of one specific subnet, one side of one interface never registers in FW Monitor. Like this...

    Computer A is in the subnet in question.

    Computer B > i intB I > o intA (no O packet) > Computer A.
    And, in reverse, Computer A > (no i packet) intA I > o intB O > Computer B.

    Now what's interesting is that any other subnets that are behind the same interfaces don't have this problem. All i's, I's, o's, O's show up fine.
    Any thought s what might cause this? We're hoping it ties into our retransmits problem, but who knows?

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: One side of one interface never appears in FW Monitor

    Quote Originally Posted by kmccubbin View Post
    We've been trying to diagnose a problem with massive retransmits and duplicate ACKs going through the firewall from several different locations which is bogging our 12600 cluster down. Everything in the problem smells like a routing loop, but we can't find one. Today I did find something very strange, though. With a source OR destination of one specific subnet, one side of one interface never registers in FW Monitor. Like this...

    Computer A is in the subnet in question.

    Computer B > i intB I > o intA (no O packet) > Computer A.
    And, in reverse, Computer A > (no i packet) intA I > o intB O > Computer B.

    Now what's interesting is that any other subnets that are behind the same interfaces don't have this problem. All i's, I's, o's, O's show up fine.
    Any thought s what might cause this? We're hoping it ties into our retransmits problem, but who knows?
    Do you have SecureXL disabled? fw monitor can't really be trusted with it enabled.

  3. #3
    Join Date
    2011-03-28
    Posts
    6
    Rep Power
    0

    Default Re: One side of one interface never appears in FW Monitor

    Quote Originally Posted by jflemingeds View Post
    Do you have SecureXL disabled? fw monitor can't really be trusted with it enabled.
    Yes. I made sure to disable it.

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: One side of one interface never appears in FW Monitor

    Quote Originally Posted by kmccubbin View Post
    Yes. I made sure to disable it.
    anything odd showing up with fw ctl zdebug drop?

    Do you see the traffic with tcpdump in/out on the interfaces you are expecting?

  5. #5
    Join Date
    2011-03-28
    Posts
    6
    Rep Power
    0

    Default Re: One side of one interface never appears in FW Monitor

    Ok, I'm a goof. The traffic between those two networks is encrypted. Makes sense that the VPN tunnel is established before it leaves the interface. Even though I built the tunnel, someone had to point it out to me. :)
    Back to the drawing board trying to figure out why we see something like 1000 times the duplicate ACKs and retransmits when doing TCPDumps on the firewall gateway than what we see at either end of the transaction on the computers.

Similar Threads

  1. FW Monitor Interface
    By mbutterfield in forum fw monitor, tcpdump and Wireshark
    Replies: 4
    Last Post: 2010-08-30, 18:50
  2. Interface state unknown using fw monitor
    By stefanjuon@yahoo.com in forum Miscellaneous
    Replies: 1
    Last Post: 2008-03-07, 06:37
  3. QoS-Smartview Monitor - QoS Interface not defined
    By detsh in forum SmartView Monitor
    Replies: 0
    Last Post: 2008-01-28, 07:26
  4. Cannot login to console (unix shell). Appears disk space is full.
    By jreuben in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2006-08-04, 16:17
  5. SecurRemote / SecureClient side by side
    By harrisi in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2006-02-28, 18:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •