Re: [FW-1] Cannot connect until after ping (almost done!)

[Tinu Koshy [Permanent Link]]

I have not been able to figure out how your n/w is configured, but I could 
suggest a few things you could look into -

1. You mention about packets mac being written by the router, check for 
icmp-redirects being enabled / disabled on the router interface

2. In linux based systems we have the wake-on Lan problem wherein unless an arp 
broadcast packet is received to its IP it does not respond. Once it starts to 
respond it continues for a period specified on the Linux box.

3. Check for arp timeouts period on the router, is it too low

Regards,
Tinu Koshy

-----Original Message-----
From: Cecoban, S. A. de C. V. - Romey Valadez
[mailto:rvaladez AT CECOBAN.ORG DOT MX]
Sent: 29 October 2004 03:16
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Cannot connect until after ping (almost done!)


Check in your swicth, because for some reason the switch is not passing some 
MACs may be the port on some clients is in blocking state or the port settings 
are causing some problem.

For testing try to apply static MACs between the client (router's MAC entry) 
and router(client's MAC entry), and Firewall(router's MAC entry) and 
router(Firewall's MAC entry) too.


Regards,
Romey Valadez



-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]En nombre de Erik
Widholm
Enviado el: Jueves, 28 de Octubre de 2004 07:29 p.m.
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: Re: [FW-1] Cannot connect until after ping (almost done!)


It's not in HA or LB mode, however, we will try the static arp entry issue.

However, that still doesn't care for the issue of the client's
original MAC also being present in the packet, which is what is the
cause of the whole problem.

The failing packets contain:
src: client MAC
dst: client's def route MAC

Once a ping is issued, the pings and subsequent TCP packets contain:
src: router's exiting MAC
dst: FW1's MAC

That is what is so baffling.....It's almost like there's something on
the network rewriting the router's arp table every 2-3 minutes, but
only for certain client/dest pairs.

For instance, the same client, while having the above symptoms to
site_1, can access site_2 just fine. Furthermore, site_1 is easily
accessible by a second client, after which site_1 is accessible for a
few minutes by the first client.

The second client never experiences this issue with this destination,
but may with a totally different destination than the first client has
issue.

It's really odd.....



On Thu, 28 Oct 2004 16:12:01 -0500, Cecoban, S. A. de C. V. - Romey
Valadez <rvaladez AT cecoban.org DOT mx> wrote:
> If your firewall in Loadsharing mode?, if this your case try to set a static 
> arp entry in your router to point to the firewall's  virtual interface.
>
> -----Mensaje original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]En nombre de Erik A.
> Widholm
> Enviado el: Jueves, 28 de Octubre de 2004 08:07 a.m.
> Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Asunto: Re: [FW-1] Cannot connect until after ping (almost done!)
>
> Sending the ping isn't the problem.
>
> What we're finding as we're digging into the packets is that some clients 
> when they connect to some hosts (not really a 1 for 1 matchup) maintain their 
> source MAC and their router interface MAC on the packet all the way to the 
> firewall.
>
> Well, it doesn't match the firewall's MAC address, so it just drops it.
>
> we're looking at this as a ROUTER issue now instead.
>
> We've turned off VRRP (the address that was bogusly showing up)
> We've cleaned ARP cache on all parties involved
> We're still having the same issue.
>
> I don't think this is a FW1 issue any more.
>
> THANK YOU EVERYONE FOR YOUR HELP! I'll let you know what we find! :-)
>
> ----- Original Message -----
> From: Dahl-Stamnes Jørn <Jorn.Dahl-Stamnes AT EDB DOT COM>
> Date: Thursday, October 28, 2004 0:35 am
> Subject: Re: [FW-1] Cannot connect until after ping
>
> > This is probably not a problem on you FW. It's on your client
> > trying to do
> > the HTTP connection.
> > I have seen this on several HP-UX boxes. They always seem to send
> > a ICMP
> > packet before they start other sessions.
> >
> > > -----Original Message-----
> > > From: Mailing list for discussion of Firewall-1
> > > [FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf
> > > Of Erik A.
> > > Widholm
> > > Sent: 27. oktober 2004 14:31
> > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > Subject: Re: [FW-1] Cannot connect until after ping
> > >
> > >
> > > Additional details:
> > >
> > >
> > > The switch's perspective (monitor port, using Ethereal 0.10.7):
> > >   1   0.00000 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > >   2   2.99032 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > >   3   5.93445 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > >   4  20.52164 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >   5   3.01498 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >   6   5.26413 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > >   7   0.00000 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > >   8   0.77089 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >   9   0.00082 portfolio.moody.edu -> 66.185.250.1 HTTP R port=2531
> > >  10   0.00015 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >
> > > FW1's perspective (fw monitor):
> > >   1   0.00000 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > >   2   0.00011 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > >   3   0.00001 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > >   4   0.00002 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > > request (ID: 512 Sequence number: 62977)
> > >   5   0.00046 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > >   6   0.00003 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > >   7   0.00001 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > >   8   0.00001 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > > reply (ID: 512 Sequence number: 62977)
> > >   9   0.77262 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >  10   0.00019 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > >
> > > You will notice that FW1 doesn't even see the connection
> > > until after the ICMP has started! Look at the port numbers of
> > > the http request...
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

This e-mail has been scanned for viruses by the Cable & Wireless e-mail 
security system - powered by MessageLabs. For more information on a proactive 
managed e-mail security service,  visit http://www.cw.com/uk/emailprotection/

The information contained in this e-mail is confidential and may also be 
subject to legal privilege. It is intended only for the recipient(s) named 
above. If you are not named above as a recipient, you must not read, copy, 
disclose, forward or otherwise use the information contained in this email. If 
you have received this e-mail in error, please notify the sender (whose contact 
details are above) immediately by reply e-mail and delete the message and any 
attachments without retaining any copies.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================