Hi
We're experiencing a weird issue with a couple PCs. The basic problem is the subnet they are on is allowed access to a specific site, all PC's on that subnet can access it just those 2 PC's can't. If we change their IP they can. What makes this a little weird is although we log the any drop and the access rule we see no attempts from that IP, however tcpdump on the internal interface shows it hitting the interface, but I don't see it passing through any other interface on the FW. I've attached the specific and tcpdump below. Any ideas?
FW's are
Nokia IP530's in a VRRP cluster config IPSO: 3.7.1-BUILD013
Check point NG-AIR54 build 289
I had 2 TCPdumps running at the same time here are the results.
TCPdump internal interface
FW1[admin]# tcpdump -i eth-s1p3c0 host 10.10.10.3
tcpdump: listening on eth-s1p3c0
08:54:54.313632 I 10.10.10.3.1214 > 10.101.49.31.80: S 140246190:140246190(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
08:54:57.305940 I 10.10.10.3.1214 > 10.101.49.31.80: S 140246190:140246190(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
08:55:03.321240 I 10.10.10.3.1214 > 10.101.49.31.80: S 140246190:140246190(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
TCP dump on DMZ interface
FW1[admin]# tcpdump -i eth4c0 host 10.10.10.3
tcpdump: listening on eth4c0
Here's a capture on the DMZ interface from a PC that works.
Jerry[rn4it]# tcpdump -i eth4c0 host 10.10.10.29
tcpdump: listening on eth4c0
09:01:22.229632 O 10.10.10.29.4574 > 10.101.49.28.80: S 2999369322:2999369322(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
09:01:22.244173 I 10.101.49.28.80 > 10.10.10.29.4574: S 534667859:534667859(0) ack 2999369323 win 64512 <mss 1460,nop,nop,sackOK>
09:01:22.244634 O 10.10.10.29.4574 > 10.101.49.28.80: . ack 1 win 64512 (DF)
09:01:29.020450 O 10.10.10.29.4574 > 10.101.49.28.80: F 1:1(0) ack 1 win 64512 (DF)
09:01:29.024140 I 10.101.49.28.80 > 10.10.10.29.4574: . ack 2 win 64512 (DF)
09:01:29.024149 I 10.101.49.28.80 > 10.10.10.29.4574: R 1:1(0) ack 2 win 0 (DF)
Any help would be appreciated.
thanks
John
We're experiencing a weird issue with a couple PCs. The basic problem is the subnet they are on is allowed access to a specific site, all PC's on that subnet can access it just those 2 PC's can't. If we change their IP they can. What makes this a little weird is although we log the any drop and the access rule we see no attempts from that IP, however tcpdump on the internal interface shows it hitting the interface, but I don't see it passing through any other interface on the FW. I've attached the specific and tcpdump below. Any ideas?
FW's are
Nokia IP530's in a VRRP cluster config IPSO: 3.7.1-BUILD013
Check point NG-AIR54 build 289
I had 2 TCPdumps running at the same time here are the results.
TCPdump internal interface
FW1[admin]# tcpdump -i eth-s1p3c0 host 10.10.10.3
tcpdump: listening on eth-s1p3c0
08:54:54.313632 I 10.10.10.3.1214 > 10.101.49.31.80: S 140246190:140246190(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
08:54:57.305940 I 10.10.10.3.1214 > 10.101.49.31.80: S 140246190:140246190(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
08:55:03.321240 I 10.10.10.3.1214 > 10.101.49.31.80: S 140246190:140246190(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
TCP dump on DMZ interface
FW1[admin]# tcpdump -i eth4c0 host 10.10.10.3
tcpdump: listening on eth4c0
Here's a capture on the DMZ interface from a PC that works.
Jerry[rn4it]# tcpdump -i eth4c0 host 10.10.10.29
tcpdump: listening on eth4c0
09:01:22.229632 O 10.10.10.29.4574 > 10.101.49.28.80: S 2999369322:2999369322(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
09:01:22.244173 I 10.101.49.28.80 > 10.10.10.29.4574: S 534667859:534667859(0) ack 2999369323 win 64512 <mss 1460,nop,nop,sackOK>
09:01:22.244634 O 10.10.10.29.4574 > 10.101.49.28.80: . ack 1 win 64512 (DF)
09:01:29.020450 O 10.10.10.29.4574 > 10.101.49.28.80: F 1:1(0) ack 1 win 64512 (DF)
09:01:29.024140 I 10.101.49.28.80 > 10.10.10.29.4574: . ack 2 win 64512 (DF)
09:01:29.024149 I 10.101.49.28.80 > 10.10.10.29.4574: R 1:1(0) ack 2 win 0 (DF)
Any help would be appreciated.
thanks
John
