[FW-1] firewall dropping return packets

Lari Luoma Fri, 08 Feb 2008 11:12:01 -0800

Dear colleagues!

I'm in the middle of quite a weird troubleshooting session and would really 
appreciate any help to get this resolved.


We are running IPSO 4.1b033 and CP NGX R60 HFA04 in a VRRP cluster. 

The scenario is as follows:

1. User authenticates successfully through client-authentication.
2. User opens a VPN-connection (Cisco VPN client) to the internal network.

When looking connections from the SmartView Tracker everything seems to be 
green (accepted), but the connections are not working. Here comes the weird 
thing... 
The firewall is dropping return packets as they were new connections. The user 
information has also disappeared from the dropped return packets as if the 
whole session has been terminated somehow. All the traffic is supposed to be 
hidden behind the firewall's external ip (192.100.x.x).

What an earth is going on here... Let me confuse you a little bit more by 
saying that the connections work sometimes (very slowly indeed), but for the 
most of the time they don't.

Here's some tracking info...

Number:                                         6089199
Date:                                           7Feb2008
Time:                                           11:41:35
Product:                                        VPN-1 Pro/Express
Interface:                                      eth-s1p3c1
Origin:                                         fw1 (192.168.77.116)
Type:                                           Log
Action:                                         Accept
Protocol:                                       udp
Service:                                        UDP_4500 (4500)
Source:                                         10.183.146.25
Destination:                            15.195.xx.xx
Rule:                                           36
NAT rule number:                               27
NAT additional rule number:                     0
Source Port:                            UDP_4500 (4500)
User:                                           [I removed the user name]
XlateSrc:                                       fw1_cluster(192.100.xx.xx)
XlateSPort:                             50357
Information:                            rule_uid: 
{572D8CDE-627C-4D64-A495-7E0470E4AC49}
                                                service_id: UDP_4500
                                                normalized_rule_num: 36-es-rules
Number:         6097242
Date:                   7Feb2008
Time:                   11:41:57
Product:        VPN-1 Pro/Express
Interface:      eth-s2p1c0
Origin:                 fw1 (192.168.xx.xx)
Type:                   Log
Action:                 Drop
Protocol:       udp
Service:        49534
Source:         15.195.xx.xx
Destination:    fw1_cluster (192.100.xx.xx)
Rule:                   178
Source Port:    UDP_4500 (4500)
Information:    rule_uid: {D67DCC20-6EA8-4EAB-BC8B-1E20C0E38DFF}
                        normalized_rule_num: 178-es-rules


Here is fw-monitor output about the traffic

Feb  8 08:29:02 fw1 [LOG_CRIT] kernel: FW-1: monitor filter loaded
 monitor: monitoring (control-C to stop)
eth-s1p3c1:i[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320
UDP: 500 -> 500
eth-s1p3c1:I[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320
UDP: 500 -> 500
eth-s2p1c0:o[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320
UDP: 500 -> 500
eth-s2p1c0:O[340]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=340 id=32320
UDP: 11759 -> 500
eth-s2p1c0:i[176]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=176 id=26684
UDP: 500 -> 11759
eth-s2p1c0:I[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684
UDP: 500 -> 500
eth-s1p3c1:o[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684
UDP: 500 -> 500
eth-s1p3c1:O[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684
UDP: 500 -> 500
eth-s1p3c1:i[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0
UDP: 4500 -> 4500
eth-s1p3c1:I[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0
UDP: 4500 -> 4500
eth-s2p1c0:o[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0
UDP: 4500 -> 4500
eth-s2p1c0:O[3620]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0
UDP: 11764 -> 4500
eth-s2p1c0:i[3628]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=1500 id=27473 off=0
UDP: 4500 -> 11764
eth-s2p1c0:I[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 id=27473 off=0
UDP: 4500 -> 4500
eth-s1p3c1:o[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 id=27473 off=0
UDP: 4500 -> 4500
eth-s1p3c1:O[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 id=27473 off=0
UDP: 4500 -> 4500
eth-s1p3c1:i[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018
UDP: 4500 -> 4500
eth-s1p3c1:I[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018
UDP: 4500 -> 4500
eth-s2p1c0:o[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018
UDP: 4500 -> 4500
eth-s2p1c0:O[432]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=432 id=35018
UDP: 12340 -> 4500
eth-s2p1c0:i[128]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=128 id=566
UDP: 4500 -> 11764
^C monitor: caught sig 2
 monitor: unloading

Your help is appreciated, thanks a lot in advance!


-lari-


Lari Luoma
Senior Network Security Specialist
Mainframe Consulting Oy
[EMAIL PROTECTED]
+358-45-6576820
www.mainframe.fi



Scanned by Check Point Total Security Gateway.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

[FW-1] firewall dropping return packets

Reply via email to