Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 2278 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FW-Traffic LAN-LAN gets blocked

Simon-Timothy Folaji

Hello Support,

i´m having trouble connecting to my internal network from different clients. 99% of the connections either to my internal network or the internet will be dropped due to FW ID:0 "Could not associate packet to any connection." 

The client itself is not really reachable, although some packets find their way to the destinations (internal or external).

When the client gets blocked by the FW icmp traffic to the client looks like this:

 

(this is a ping from my 2nd machine in the same subnet to the problematic client)

At the same time the Logviewer will generate this output:

FW-ID 2 is LAN-LAN Policy. As you can see bcast traffic is completely dropped (due to could not associate...), on the other side some traffic will be passing the fw. How can i unblock the bcast traffic?

My internal subnet is this:

192.168.0.0/22

The FW-IP is 192.168.0.1 (network interface is associated to LAN Zone)

The FW-Firmware is 17.5 MR5

Any help would be highly appreciated - this haunts me for weeks.

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Hi Ian,

    if it´s a local switchting issue why am i seeing ports get blocked by the firewall from e.g.

    192.168.2.100 to 192.168.3.100

    when my subnet is

    192.168.0.0/22

    Makes no sense to me. Mostly Port 137,138 gets blocked but i also seeing higher application ports get blocked by the fw.

    This prevents a successful domain logon (client sits on boot screen for 20 minutes "please wait")

    Can you shed some light on this? 

    Thanks again

  • 0 in reply to Simon-Timothy Folaji

    Hi,

    it is all very logical, you have a /22 network and you are trying to use firewall rules to connect two /24s within the same network.

    This should all be managed by your switch. I would check the net masks on your DHCP servers and the Domain server.

    Ian

  • 0 in reply to rfcat_vk

    H Ian,

    i´m not trying to connect two /24 networks

    my network is 192.168.0.0/22, that means 192.168.0.0-192.168.3.254 is within one subnet. The fw behaves as if the networks are separated. All DCs an DHCP-Servers (all of them are DCs) have a /22 network mask.

  • 0 in reply to Simon-Timothy Folaji

    Hi Simon-Timothy,

    I have created a simple network sketch of what I think your network is like? This should show you why the switch should manage the interLAN traffic not the firewall.

    And why the XG sees the addresses as seperate networks.

     

    Ian

  • 0 in reply to rfcat_vk

    Hello Ian,

    thank you for your time and your sketch. I can confirm that my network is not like this.

    As stated before

    my Network is 192.168.0.0/22.

    There is no /24 subnet, neither on the dhcp server, which has a distribution range of 192.168.2.1-192.168.3.254, nor on any of the DCs. So again, i´m only wondering what is happening on the XG.

    Yesterday i upgraded to MR6 - but that didn´t change anything (as the other MRs that came before this one).

    The funny part is that the FW submits some traffic while other traffic will be blocked with Rule-ID:0 (mostly UDP Protocol, Port 137-138)

    That only happens for a period of time. Yesterday i waited for 30-45 minutes and the traffic which was originally blocked (at logon and afterwards), is now passing the fw without problems.

    This is absolutely confusing to me...

  • 0 in reply to Simon-Timothy Folaji

    Hi Simon-Timothy,

    my apologies the confusion was caused by your requirement for a LAN to LAN which implies that you had sub-divided your /22.

    The Rule 0 is the default rule in the XG  when it cannot find a matching rule for the traffic which is what is happening 3.255 is not a real address and is therefore dropped by the firewall, you can disable the logging of rule 0 or just ignore the entries, they are not the cause of your issue.

    As I stated at the start you do not need a LAN to LAN rule to get your local traffic, please check the settings of your main switch eg that every port is set to forward broadcasts etc then check the traffic in the switch or by putting an analyser on one of the links between the main switch and sub-switch.

    Ian