I have seen the connection contains real IP of natted address and the accepts immediately followed by a anti-spoofing drops from routing and topology misconfiguration, same networks/hosts in topology groups for different interfaces. Do you have other devices on the edges external network that have no problems accessing? Is the network behind the edge being hide natted by the edge?
-GS ________________________________ From: Sergio Alvarez <[email protected]> To: [email protected] Sent: Fri, October 16, 2009 10:33:41 PM Subject: [FW-1] Traffic dropped unexpectedly by cluster Hello, I have this customer that currently has a couple of Nokia boxes working as VRRP pair and facing the Internet, behind it there is an MPLS network and somewhere in that cloud is a VPN-1 Edge box. Traffic coming from the network behind that Edge is able to get to the Internet with no problem, but the customer purchased the filtering services for the Edge and so needs to register it with the Sofware Service Center, but the Nokia cluster is not allowing it to establish the connection. When we attempt to contact the Service Center, SmartView Tracker first shows an "accept" log, where the source, destination, service (UDP/9282) and xlate src, look ok, then right after that, a "drop" log, this time the xlate src is blank, and the "Information" says: "message_info Connection contains real IP of NATed address". Both logs show the inbound interface as the one where the action was taken, so it is not even getting passed that first interface kernel. I did some research in the Check Point SK, but the documents I found make reference to issues in older versions that were solved by HFAs, and the most recent article makes reference to R61 and doesn't seem to be related with our scenario. Currently we have R65 running over IPSO 4.2 on those Nokias. But the weird stuff doesn't end there, I did some ping tests from the Edge itself just to be sure if it had something to do with the particular UDP/9282 traffic and what I see is that SV Tracker shows first an "accept" log and right after that a "drop" log, but on the second, xlate src is blank, and the correct destination IP was changed by the source IP (the one of the Edge box) and since source and destination are the same, now the Information says it was dropped by Anti spoofing. Again both logs show the inbound interface as the one where the action was taken and I have no idea why is the firewall replacing the destination IP with the source IP. Has anybody seen anything like this before? I'm completely lost here. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
