Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After upgrade to 17.5, some packets not forwarded from ipsec to interface port

AbdullahAmer

Dear All,

After we upgraded our 2 XG firewall at 2 different site were we have an ipsec VPN in between to the last firmware 17.5, we faced afterthat some packets at the ipsec not forwarded to the port

we have one print server Linux at one site , one Zebra ZM400 barcode printer at the another. Now each print job needs 15 sec. while before it needs 1 sec. 

Checking the tcpdump , found many packets not forwarded to the port which resulted in print server keeps sending the same packets to get a confirmation of the connection.

Check the droped packets, but there is non

bellow the tcpdump:

15:32:43.864809 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [S], seq 7632938, win 14600, options [mss 1460,sackOK,TS val 1946631016 ecr 0,nop,wscale 7], length 0
15:32:43.923891 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [S.], seq 92008448, ack 7632939, win 5840, options [mss 1460,TS val 104385 ecr 1946631016,nop,nop], length 0
15:32:43.924113 Port1, OUT: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [S.], seq 92008448, ack 7632939, win 5840, options [mss 1460,TS val 104385 ecr 1946631016,nop,nop], length 0
15:32:43.924339 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [.], ack 1, win 14600, options [nop,nop,TS val 1946631076 ecr 104385], length 0
15:32:43.924343 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [P.], ack 1, win 14600, options [nop,nop,TS val 1946631076 ecr 104385], length 792
15:32:43.924347 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [F.], seq 793, ack 1, win 14600, options [nop,nop,TS val 1946631076 ecr 104385], length 0
15:32:43.967518 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 793, win 5048, options [TS val 104388 ecr 1946631076,nop,nop], length 0
15:32:43.967714 Port1, OUT: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 793, win 5048, options [TS val 104388 ecr 1946631076,nop,nop], length 0
15:32:43.967768 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104388 ecr 1946631076,nop,nop], length 0
15:32:44.043182 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [F.], seq 1, ack 794, win 0, options [TS val 104391 ecr 1946631076,nop,nop], length 0
15:32:44.224971 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [F.], seq 793, ack 1, win 14600, options [nop,nop,TS val 1946631377 ecr 104388], length 0
15:32:44.270433 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104403 ecr 1946631377,nop,nop], length 0
15:32:44.740109 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [F.], seq 793, ack 1, win 14600, options [nop,nop,TS val 1946631892 ecr 104388], length 0
15:32:44.782634 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104428 ecr 1946631892,nop,nop], length 0
15:32:45.771988 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [F.], seq 793, ack 1, win 14600, options [nop,nop,TS val 1946632924 ecr 104388], length 0
15:32:45.830674 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104480 ecr 1946632924,nop,nop], length 0
15:32:47.832194 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [F.], seq 793, ack 1, win 14600, options [nop,nop,TS val 1946634984 ecr 104388], length 0
15:32:47.878741 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104583 ecr 1946634984,nop,nop], length 0
15:32:51.952001 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [F.], seq 793, ack 1, win 14600, options [nop,nop,TS val 1946639104 ecr 104388], length 0
15:32:52.016652 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104790 ecr 1946639104,nop,nop], length 0
15:32:52.016673 Port1, OUT: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [.], ack 794, win 0, options [TS val 104790 ecr 1946639104,nop,nop], length 0
15:32:56.417665 ipsec0, IN: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [F.], seq 1, ack 794, win 0, options [TS val 105010 ecr 1946639104,nop,nop], length 0
15:32:56.417680 Port1, OUT: IP 172.18.8.90.9100 > 172.16.20.184.50749: Flags [F.], seq 1, ack 794, win 0, options [TS val 105010 ecr 1946639104,nop,nop], length 0
15:32:56.417809 Port1, IN: IP 172.16.20.184.50749 > 172.18.8.90.9100: Flags [.], ack 2, win 14600, options [nop,nop,TS val 1946643569 ecr 105010], length 0

 

tcpdump of the good one:

15:53:44.949254 ipsec0, IN: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [S.], seq 2309846583, ack 2559237268, win 8192, options [mss 1460,nop,wscale 0,nop,nop,TS val 1 ecr 1947892061,sackOK,nop,nop], length 0
15:53:44.949496 Port1, OUT: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [S.], seq 2309846583, ack 2559237268, win 8192, options [mss 1460,nop,wscale 0,nop,nop,TS val 1 ecr 1947892061,sackOK,nop,nop], length 0
15:53:44.949600 Port1, IN: IP 172.16.20.184.51996 > 172.18.8.106.9100: Flags [.], ack 1, win 115, options [nop,nop,TS val 1947892102 ecr 1], length 0
15:53:44.949845 Port1, IN: IP 172.16.20.184.51996 > 172.18.8.106.9100: Flags [P.], ack 1, win 115, options [nop,nop,TS val 1947892102 ecr 1], length 792
15:53:44.949848 Port1, IN: IP 172.16.20.184.51996 > 172.18.8.106.9100: Flags [F.], seq 793, ack 1, win 115, options [nop,nop,TS val 1947892102 ecr 1], length 0
15:53:44.991460 ipsec0, IN: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [.], ack 794, win 7968, options [nop,nop,TS val 1 ecr 1947892102], length 0
15:53:44.991603 Port1, OUT: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [.], ack 794, win 7968, options [nop,nop,TS val 1 ecr 1947892102], length 0
15:53:44.999585 ipsec0, IN: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [.], ack 794, win 65535, options [nop,nop,TS val 1 ecr 1947892102], length 0
15:53:44.999721 Port1, OUT: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [.], ack 794, win 65535, options [nop,nop,TS val 1 ecr 1947892102], length 0
15:53:45.091596 ipsec0, IN: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [F.], seq 1, ack 794, win 65535, options [nop,nop,TS val 1 ecr 1947892102], length 0
15:53:45.091732 Port1, OUT: IP 172.18.8.106.9100 > 172.16.20.184.51996: Flags [F.], seq 1, ack 794, win 65535, options [nop,nop,TS val 1 ecr 1947892102], length 0
15:53:45.091831 Port1, IN: IP 172.16.20.184.51996 > 172.18.8.106.9100: Flags [.], ack 2, win 115, options [nop,nop,TS val 1947892244 ecr 1], length 0

Much appreciated your help

Kind regards,

Abdul



This thread was automatically locked due to age.