Check in your swicth, because for some reason the switch is not passing some
MACs may be the port on some clients is in blocking state or the port settings
are causing some problem.
For testing try to apply static MACs between the client (router's MAC entry)
and router(client's MAC entry), and Firewall(router's MAC entry) and
router(Firewall's MAC entry) too.
Regards,
Romey Valadez
-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]En nombre de Erik
Widholm
Enviado el: Jueves, 28 de Octubre de 2004 07:29 p.m.
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: Re: [FW-1] Cannot connect until after ping (almost done!)
It's not in HA or LB mode, however, we will try the static arp entry issue.
However, that still doesn't care for the issue of the client's
original MAC also being present in the packet, which is what is the
cause of the whole problem.
The failing packets contain:
src: client MAC
dst: client's def route MAC
Once a ping is issued, the pings and subsequent TCP packets contain:
src: router's exiting MAC
dst: FW1's MAC
That is what is so baffling.....It's almost like there's something on
the network rewriting the router's arp table every 2-3 minutes, but
only for certain client/dest pairs.
For instance, the same client, while having the above symptoms to
site_1, can access site_2 just fine. Furthermore, site_1 is easily
accessible by a second client, after which site_1 is accessible for a
few minutes by the first client.
The second client never experiences this issue with this destination,
but may with a totally different destination than the first client has
issue.
It's really odd.....
On Thu, 28 Oct 2004 16:12:01 -0500, Cecoban, S. A. de C. V. - Romey
Valadez <rvaladez AT cecoban.org DOT mx> wrote:
> If your firewall in Loadsharing mode?, if this your case try to set a static
> arp entry in your router to point to the firewall's virtual interface.
>
> -----Mensaje original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]En nombre de Erik A.
> Widholm
> Enviado el: Jueves, 28 de Octubre de 2004 08:07 a.m.
> Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Asunto: Re: [FW-1] Cannot connect until after ping (almost done!)
>
> Sending the ping isn't the problem.
>
> What we're finding as we're digging into the packets is that some clients
> when they connect to some hosts (not really a 1 for 1 matchup) maintain their
> source MAC and their router interface MAC on the packet all the way to the
> firewall.
>
> Well, it doesn't match the firewall's MAC address, so it just drops it.
>
> we're looking at this as a ROUTER issue now instead.
>
> We've turned off VRRP (the address that was bogusly showing up)
> We've cleaned ARP cache on all parties involved
> We're still having the same issue.
>
> I don't think this is a FW1 issue any more.
>
> THANK YOU EVERYONE FOR YOUR HELP! I'll let you know what we find! :-)
>
> ----- Original Message -----
> From: Dahl-Stamnes Jørn <Jorn.Dahl-Stamnes AT EDB DOT COM>
> Date: Thursday, October 28, 2004 0:35 am
> Subject: Re: [FW-1] Cannot connect until after ping
>
> > This is probably not a problem on you FW. It's on your client
> > trying to do
> > the HTTP connection.
> > I have seen this on several HP-UX boxes. They always seem to send
> > a ICMP
> > packet before they start other sessions.
> >
> > > -----Original Message-----
> > > From: Mailing list for discussion of Firewall-1
> > > [FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf
> > > Of Erik A.
> > > Widholm
> > > Sent: 27. oktober 2004 14:31
> > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > Subject: Re: [FW-1] Cannot connect until after ping
> > >
> > >
> > > Additional details:
> > >
> > >
> > > The switch's perspective (monitor port, using Ethereal 0.10.7):
> > > 1 0.00000 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > > 2 2.99032 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > > 3 5.93445 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > > 4 20.52164 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > > 5 3.01498 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > > 6 5.26413 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > > 7 0.00000 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > > 8 0.77089 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > > 9 0.00082 portfolio.moody.edu -> 66.185.250.1 HTTP R port=2531
> > > 10 0.00015 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >
> > > FW1's perspective (fw monitor):
> > > 1 0.00000 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > > 2 0.00011 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > > 3 0.00001 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > > 4 0.00002 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > > 5 0.00046 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > > 6 0.00003 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > > 7 0.00001 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > > 8 0.00001 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > > 9 0.77262 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > > 10 0.00019 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >
> > > You will notice that FW1 doesn't even see the connection
> > > until after the ICMP has started! Look at the port numbers of
> > > the http request...
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
