This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unexplainable problem - unable to ping some hosts

Hello,

Setup: XG135W V18 build 354.

I noticed today that I cannot ping properly some hosts like 8.8.8.8, 8.8.4.4, and 1.1.1.1. I launch a CMD, I type "ping 8.8.8.8" the first answer is correct, and then the 3 next are timeout.

This ping is passing through my #1 firewall rule "LAN TO WAN GENERAL RULE" which allows my internal lan to reach internet. I don't know since when this problem is occuring but it's really weird because if I switch on the capture packet in the firewall, the ping is working well ???!!! what the f*ck ???

Here are some screenshots to explain that...

The ping fail after the 1st successful answer.

Then I switch on packet capture, and ping again while it's still ON, and BINGO, ping is working:

Then I switch off packet capture, and ping is not working again...

Another weird thing is that, I monitor my custommer's firewall and internet lines with ping and other services which is alowed on a rule which is on the top of my #1 rule. This rule allows to ping those specifics IP, and if I ping those IP manually, they are all working great...

The issue is only on the IP that are not in the monitoring firewall rule.

The ping to 192.168.253.254 which is my ISP modem IP have the same issue, 1st anwer OK, 3 others timeout. If I connect a computer on the ISP modem directly and ping 192.168.253.254 the ping is OK.

The issue was not present few weeks ago...

if anyone have an idea...

Regards

This thread was automatically locked due to age.

Parents

0 FormerMember over 5 years ago
Hi Viken,

This issue sounds like some problems on the LAN side, like duplicated IP address/wrong ARP on the firewall etc.

You could try the below steps to check further -

Check in firewall's log viewer - switch to detailed view - search your IP address and see if there is any blocking by firewall rule or IPS rule

On the XG firewall Advanced Shell, use the command to check the arp table: arp -an. And check multiple times when the ping is working and not working and see if the ARP entry has the correct MAC address for your PC.

When do a continuous ping, ping 1.1.1.1 -t, do WireShark capture and tcpdump capture on XG firewall at the same time. Then retrieve the pcap file from XG firewall and analyze the captures on PC and firewall with WireShark. Pay attention to the destination MAC address of those non-working ping requests.

Test if the issue happens on another PC on the same LAN network
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to FormerMember

Hi Captain,

Thank you for your answer, I will test what you wrote and will let you know.

But before that, let me add more precisions:

As I said, when I ping IP addresses which are matching another firewall rule which is on the top, the ping works well, here are my firewall rules:

And defailted view:

Main firewall rule:

and supervision rule:

As you can see, in my supervision rule, I have host groups, with public IP addresses inside, when I ping one of those IP addresses, it matches this rule.

Now, a really weird thing about that :D -> If I add 8.8.8.8 or 8.8.4.4 or 1.1.1.1 in one of the host group, the ping to thoses IP is working again !!!!!! see:

I tested that from different PC on the network, from different VLANs, the issue is the same.
If I ping directly from the "diagnostics" pane of the XG, with Port3 Interface, there is no problem.

I'm about to think that this is a problem on the v18 build 354 firmware. I'm about to downgrade to the build 339 to see if the problem is present or not...
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 5 years ago in reply to VikenNajarian

Hi VikenNajarian

Could you please unplug the Port3 for ISP for testing purpose and check what is the status of the issue?

Could you please enable fsck once from the console and reboot the firewall?
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to Keyur

Hello Guys,

I have resolved the issue, but I resolved it by a weird way.

I remembered that when I migrated from v17 to v18, I read about FastPath on internet, this was few weeks ago...

Then I saw that it was about the "system firewall-acceleration" option that we have to enable.

So few weeks ago I enabled this feature, and then just to test, I have disabled it right now, and then the ping is working again !!!!

So maybe it explains why when I was pinging from Vlan20 it was working. (the only rule for Vlan20 was to use webproxy instead of DPI)

And then when I was pinging from Vlan 1, 10 and 30, the ping wasnt working (the rule for those Vlan was set to use DPI instead of web proxy).

So the real issue is there, and not about ARP or duplicate issue. So what's wrong? Should we enable "system firewall-acceleration" option? Is there a problem about DPI?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R over 5 years ago in reply to VikenNajarian

Hi VikenNajarian

Based on last update it seems Fast path / DPI creating some problem. To be more sure can you confirm are you getting consistent PING result without drop all the time with below test scenario:

1) PING result when you disable firewall-acceleration,

2) PING result when firewall-acceleration is on but tcpdump command running during PING on XG CLI or UI.

3) PING result with firewall-acceleration is on and IPS service off

If all above 3 giving proper result for PING for multiple test then there is some issue with fast path and DPI and this may required further investigation with support case.
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to Vishal_R

Hi Vishal,

Here are the results to the tests you asked:

1) Ping is OK

2) Ping is OK

3) Ping is NOT OK

When I enable firewall-acceleration the ping is broken again, even if I stop the IPS Service of the XG.

The ping traffic is allowed by a rule which is configured to use DPI engine instead of web-proxy.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R over 5 years ago in reply to VikenNajarian

Hi VikenNajarian

Thanks for quick update on test result. Can you confirm is there any error and warning level messages under syslog.log when PING drops getting observed? Also in the rule if you switch web proxy from DPI then PING Is working fine then problem should be DPI or fast path only.
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to Vishal_R

Hi Vishal,

what is the right way to analyze syslog.log without having an epileptic crisis ??? :D The information is transitting so fast when I do a cat syslog.log command.

I switched to web proxy with firewall-acceleration enabled and ping is still droping.

But a thing is still weird, when firewall-acceleration is enabled and my traffic is passing through my backup internet link, the ping is still working, so the firewall-acceleration seems to be incompatible only with my main internet link on port3, wich is static IP going to a MPTCP router connected to a VPS with 3 links (2 Adsl + 1 4G) to have 1 public IP and aggregated speed.

And the 2nd link is Adsl configured on PPPOE directly on the XG.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to VikenNajarian

Use tools like "less" to visit the logs in Linux Systems. Or More, but i prefer less.

https://linuxize.com/post/less-command-in-linux/

Another points out of my head: You are talking about Ping, but what about TCP/UDP connections? Do they work? Telnet Port 53, Telnet Port 443, Wget 443 etc.

Could you show us your SD-WAN Policies?
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to LuCar Toni

Thanks for the tip for "less".

I have no problem with other traffic because we used the firewall for a couple of weeks without issues with the firewall-acceleration option enabled, and I don't ping IP hosts every days, so I just noticed that it wasn't working about the ping issues.

Here is the output of syslog.log :

May 2 20:40:59 (none) auth.info cish: session opened from console
May 2 20:41:23 (none) user.info kernel: [112817.502877] ustk: mmap closed for u stdev
May 2 20:41:23 (none) user.info kernel: [112817.502883] ustk: Deleted vma ffff8 8019a974540 from list
May 2 20:41:23 (none) user.err kernel: [112817.502887] 1028:appdev_vma_close:si ze 2031616
May 2 20:41:23 (none) user.err kernel: [112817.502978] 758:appdev_release:dev o pen 1
May 2 20:41:23 (none) user.err kernel: [112817.502980] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502981] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502983] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502984] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502985] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502986] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502987] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502988] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502989] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502990] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502990] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502991] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502992] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502993] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502994] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502995] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502996] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502997] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502998] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502999] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.503000] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.503001] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.503002] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.info kernel: [112817.504080] ustk: Closed the mmap d ev
May 2 20:41:23 (none) user.info kernel: [112817.510222] ustk: mmap closed for u stdev
May 2 20:41:23 (none) user.info kernel: [112817.510227] ustk: Deleted vma ffff8 801ee0d69c0 from list
May 2 20:41:23 (none) user.err kernel: [112817.510231] 1028:appdev_vma_close:si ze 2031616
May 2 20:41:23 (none) user.err kernel: [112817.510350] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510352] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510353] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510356] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510357] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510357] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510358] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510359] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510360] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510361] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510362] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510363] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510364] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510365] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510366] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510367] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510368] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510369] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510370] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510371] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510372] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510373] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510374] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510374] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.info kernel: [112817.511113] ustk: Closed the mmap d ev
May 2 20:41:23 (none) user.err kernel: [112817.522160] 1028:appdev_vma_close:si ze 2031616
May 2 20:41:23 (none) user.err kernel: [112817.522307] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.522309] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.522310] 774:appdev_release:dev o pen 0
May 2 20:41:25 (none) user.err kernel: [112818.846285] nf_conntrack_ipslb: unlo aded
May 2 20:41:25 (none) user.info kernel: [112819.445616] manage_fastpath (32453) : drop_caches: 3
May 2 20:41:26 (none) user.info kernel: [112819.729886] 886.050561 [3619] netma p_attach_common host0: rx_buf_maxsize not set, set to 2048
May 2 20:41:26 (none) user.err kernel: [112819.729889] 886.050570 [1447] netmap _vale_vp_create autodetect mem pools for virt port host0
May 2 20:41:26 (none) user.err kernel: [112819.729891] 886.050572 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.729893] 886.050574 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.info kernel: [112819.731775] 886.052455 [3619] netma p_attach_common host1: rx_buf_maxsize not set, set to 2048
May 2 20:41:26 (none) user.err kernel: [112819.731778] 886.052460 [1447] netmap _vale_vp_create autodetect mem pools for virt port host1
May 2 20:41:26 (none) user.err kernel: [112819.731780] 886.052461 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.731781] 886.052463 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.info kernel: [112819.733756] 886.054434 [3619] netma p_attach_common host2: rx_buf_maxsize not set, set to 2048
May 2 20:41:26 (none) user.err kernel: [112819.733758] 886.054440 [1447] netmap _vale_vp_create autodetect mem pools for virt port host2
May 2 20:41:26 (none) user.err kernel: [112819.733760] 886.054441 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.733761] 886.054443 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.err kernel: [112819.735074] 886.055753 [1447] netmap _vale_vp_create autodetect mem pools for virt port host3
May 2 20:41:26 (none) user.err kernel: [112819.735079] 886.055760 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.735081] 886.055762 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.info kernel: [112819.832064] 886.152737 [2290] netma p_do_regif vale0:Port1: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112819.832073] 886.152753 [2313] netma p_do_regif vale0:Port1: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.061173] 886.381846 [2290] netma p_do_regif vale0:Port2: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.061181] 886.381858 [2313] netma p_do_regif vale0:Port2: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.077878] 886.398550 [2290] netma p_do_regif vale0:Port3: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.077886] 886.398563 [2313] netma p_do_regif vale0:Port3: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.552617] 886.873284 [2290] netma p_do_regif vale0:Port5: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.552624] 886.873296 [2313] netma p_do_regif vale0:Port5: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.631253] 886.951920 [2290] netma p_do_regif vale0:Port6: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.631261] 886.951932 [2313] netma p_do_regif vale0:Port6: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:27 (none) user.info kernel: [112820.705947] 887.026612 [2290] netma p_do_regif vale0:Port7: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:27 (none) user.info kernel: [112820.705953] 887.026623 [2313] netma p_do_regif vale0:Port7: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:27 (none) user.info kernel: [112820.910029] device host0 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.912789] device host1 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.914408] device host2 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.915979] device host3 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.937733] vfp info: vfp_init:121: Initalizing vfp_firewall offloads...
May 2 20:41:27 (none) user.info kernel: [112820.938367] vfp info: vfp_firewall_ debugfs_init:112: Initializing vfp_firewall debugfs...
May 2 20:41:27 (none) user.info kernel: [112820.938383] vfp info: vfp_mflow_tab le_init:535: Initializing Micro Flow table library
May 2 20:41:27 (none) user.info kernel: [112820.938384] vfp info: vfp_mflow_tab le_init:537: -- Supporting up to 3000000 Micro Flow table entries using 1048576 buckets
May 2 20:41:27 (none) user.info kernel: [112820.944191] vfp info: vfp_mflow_tab le_init:554: -- Hash table addr: ffffffffa28a9fc0, free table addr: ffffffffa28 a97a0
May 2 20:41:27 (none) user.info kernel: [112820.955039] vfp info: vfp_mflow_tim eout_thread_start:64: Micro Flow timeout thread ffff8801ec762280 created success fully
May 2 20:41:27 (none) user.info kernel: [112820.955058] vfp info: vale_ports_ma p_table_init:260: Initializing VALE ports mapping table for bridge vale0:
May 2 20:41:27 (none) user.info kernel: [112820.955064] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port1 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955069] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port2 index 1
May 2 20:41:27 (none) user.info kernel: [112820.955072] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port3 index 2
May 2 20:41:27 (none) user.info kernel: [112820.955075] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port4 index 3
May 2 20:41:27 (none) user.info kernel: [112820.955078] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port5 index 4
May 2 20:41:27 (none) user.info kernel: [112820.955081] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port6 index 5
May 2 20:41:27 (none) user.info kernel: [112820.955084] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port7 index 6
May 2 20:41:27 (none) user.info kernel: [112820.955087] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port8 index 7
May 2 20:41:27 (none) user.info kernel: [112820.955089] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port9 index 8
May 2 20:41:27 (none) user.info kernel: [112820.955100] vfp info: vale_ports_ma p_table_init:367: VALE ports discovered and mapped for bridge vale0:
May 2 20:41:27 (none) user.info kernel: [112820.955101] vfp info: vale_ports_ma p_table_init:368: Attched ports count: 22
May 2 20:41:27 (none) user.info kernel: [112820.955102] vfp info: vale_ports_ma p_table_init:369: First host port: 18
May 2 20:41:27 (none) user.info kernel: [112820.955104] vfp info: vale_ports_ma p_table_init:377: Port 0: "vale0:Port1", Phys port 0. <=> Vale Stack 1, val e0:Port1^
May 2 20:41:27 (none) user.info kernel: [112820.955106] vfp info: vale_ports_ma p_table_init:382: Port 1: "vale0:Port1^", Stack port. <=> Vale Phys 0, vale 0:Port1
May 2 20:41:27 (none) user.info kernel: [112820.955107] vfp info: vale_ports_ma p_table_init:377: Port 2: "vale0:Port2", Phys port 1. <=> Vale Stack 3, val e0:Port2^
May 2 20:41:27 (none) user.info kernel: [112820.955108] vfp info: vale_ports_ma p_table_init:382: Port 3: "vale0:Port2^", Stack port. <=> Vale Phys 2, vale 0:Port2
May 2 20:41:27 (none) user.info kernel: [112820.955110] vfp info: vale_ports_ma p_table_init:377: Port 4: "vale0:Port3", Phys port 2. <=> Vale Stack 5, val e0:Port3^
May 2 20:41:27 (none) user.info kernel: [112820.955111] vfp info: vale_ports_ma p_table_init:382: Port 5: "vale0:Port3^", Stack port. <=> Vale Phys 4, vale 0:Port3
May 2 20:41:27 (none) user.info kernel: [112820.955112] vfp info: vale_ports_ma p_table_init:377: Port 6: "vale0:Port4", Phys port 3. <=> Vale Stack 7, val e0:Port4^
May 2 20:41:27 (none) user.info kernel: [112820.955114] vfp info: vale_ports_ma p_table_init:382: Port 7: "vale0:Port4^", Stack port. <=> Vale Phys 6, vale 0:Port4
May 2 20:41:27 (none) user.info kernel: [112820.955115] vfp info: vale_ports_ma p_table_init:377: Port 8: "vale0:Port5", Phys port 4. <=> Vale Stack 9, val e0:Port5^
May 2 20:41:27 (none) user.info kernel: [112820.955116] vfp info: vale_ports_ma p_table_init:382: Port 9: "vale0:Port5^", Stack port. <=> Vale Phys 8, vale 0:Port5
May 2 20:41:27 (none) user.info kernel: [112820.955118] vfp info: vale_ports_ma p_table_init:377: Port 10: "vale0:Port6", Phys port 5. <=> Vale Stack 11, va le0:Port6^
May 2 20:41:27 (none) user.info kernel: [112820.955119] vfp info: vale_ports_ma p_table_init:382: Port 11: "vale0:Port6^", Stack port. <=> Vale Phys 10, val e0:Port6
May 2 20:41:27 (none) user.info kernel: [112820.955121] vfp info: vale_ports_ma p_table_init:377: Port 12: "vale0:Port7", Phys port 6. <=> Vale Stack 13, va le0:Port7^
May 2 20:41:27 (none) user.info kernel: [112820.955122] vfp info: vale_ports_ma p_table_init:382: Port 13: "vale0:Port7^", Stack port. <=> Vale Phys 12, val e0:Port7
May 2 20:41:27 (none) user.info kernel: [112820.955123] vfp info: vale_ports_ma p_table_init:377: Port 14: "vale0:Port8", Phys port 7. <=> Vale Stack 15, va le0:Port8^
May 2 20:41:27 (none) user.info kernel: [112820.955125] vfp info: vale_ports_ma p_table_init:382: Port 15: "vale0:Port8^", Stack port. <=> Vale Phys 14, val e0:Port8
May 2 20:41:27 (none) user.info kernel: [112820.955126] vfp info: vale_ports_ma p_table_init:377: Port 16: "vale0:Port9", Phys port 8. <=> Vale Stack 17, va le0:Port9^
May 2 20:41:27 (none) user.info kernel: [112820.955127] vfp info: vale_ports_ma p_table_init:382: Port 17: "vale0:Port9^", Stack port. <=> Vale Phys 16, val e0:Port9
May 2 20:41:27 (none) user.info kernel: [112820.955128] vfp info: vale_ports_ma p_table_init:385: Port 18: "vale0:host0", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955129] vfp info: vale_ports_ma p_table_init:385: Port 19: "vale0:host1", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955130] vfp info: vale_ports_ma p_table_init:385: Port 20: "vale0:host2", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955132] vfp info: vale_ports_ma p_table_init:385: Port 21: "vale0:host3", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955133] vfp info: vale_ports_ma p_table_init:389: VALE ports mapping physical to vale for bridge vale0::
May 2 20:41:27 (none) user.info kernel: [112820.955135] vfp info: vale_ports_ma p_table_init:394: Phys 0 <-> Vale 0 (vale0:Port1)
May 2 20:41:27 (none) user.info kernel: [112820.955136] vfp info: vale_ports_ma p_table_init:394: Phys 1 <-> Vale 2 (vale0:Port2)
May 2 20:41:27 (none) user.info kernel: [112820.955137] vfp info: vale_ports_ma p_table_init:394: Phys 2 <-> Vale 4 (vale0:Port3)
May 2 20:41:27 (none) user.info kernel: [112820.955138] vfp info: vale_ports_ma p_table_init:394: Phys 3 <-> Vale 6 (vale0:Port4)
May 2 20:41:27 (none) user.info kernel: [112820.955139] vfp info: vale_ports_ma p_table_init:394: Phys 4 <-> Vale 8 (vale0:Port5)
May 2 20:41:27 (none) user.info kernel: [112820.955140] vfp info: vale_ports_ma p_table_init:394: Phys 5 <-> Vale 10 (vale0:Port6)
May 2 20:41:27 (none) user.info kernel: [112820.955141] vfp info: vale_ports_ma p_table_init:394: Phys 6 <-> Vale 12 (vale0:Port7)
May 2 20:41:27 (none) user.info kernel: [112820.955142] vfp info: vale_ports_ma p_table_init:394: Phys 7 <-> Vale 14 (vale0:Port8)
May 2 20:41:27 (none) user.info kernel: [112820.955144] vfp info: vale_ports_ma p_table_init:394: Phys 8 <-> Vale 16 (vale0:Port9)
May 2 20:41:27 (none) user.info kernel: [112820.955156] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 100 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955159] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 10 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955160] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 20 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955162] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 30 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955168] vfp info: vfp_worker_in it:280: Init worker mode0 lb_dest=1...
May 2 20:41:27 (none) user.info kernel: [112820.955184] vfp info: vfp_mflow_tim eout_thread_fn:103: Micro Flow timeout thread started...
May 2 20:41:28 (none) user.info kernel: [112821.994711] sh (509): drop_caches: 3
May 2 20:41:28 (none) user.info kernel: [112822.194411] ixgbe_nm 0000:0c:00.1 P ort4: NIC Link is Up 100 Mbps, Flow Control: RX/TX
May 2 20:41:30 (none) user.info kernel: [112823.728187] ixgbe_nm 0000:0c:00.0 P ort3: NIC Link is Up 1 Gbps, Flow Control: None
May 2 20:41:30 (none) user.info kernel: [112823.811225] igb_nm 0000:03:00.0 Por t6: igb: Port6 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
May 2 20:41:30 (none) user.info kernel: [112823.854918] ixgbe_nm 0000:0b:00.0 P ort1: NIC Link is Up 1 Gbps, Flow Control: None
May 2 20:41:30 (none) user.info kernel: [112824.175457] igb_nm 0000:02:00.0 Por t5: igb: Port5 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
May 2 20:42:01 (none) user.err kernel: [112855.072762] 729:appdev_open:dev open 0 1d
May 2 20:42:01 (none) user.err kernel: [112855.072765] 750:appdev_open:dev open 1
May 2 20:42:01 (none) user.err kernel: [112855.072768] 814:appdev_ioctl:dev siz e 2031616
May 2 20:42:01 (none) user.err kernel: [112855.072790] 1044:appdev_mmap:start s ize 2031616
May 2 20:42:01 (none) user.err kernel: [112855.072820] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.err kernel: [112918.756571] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.err kernel: [112918.774577] 1028:appdev_vma_close:si ze 2031616
May 2 20:43:05 (none) user.info kernel: [112918.924042] nfnetmap_queue loaded w ith [queues=2, queue_entries=10240, tx_slots=512 rx_slots=512]
May 2 20:43:05 (none) user.info kernel: [112918.924386] 985.244006 [1902] netma p_mem_private_new req if 10*1024 ring 20*20480 buf 10242*2048
May 2 20:43:05 (none) user.info kernel: [112918.924392] 985.244014 [3619] netma p_attach_common spq: rx_buf_maxsize not set, set to 2048
May 2 20:43:05 (none) user.info kernel: [112918.924397] 985.244018 [3619] netma p_attach_common spq{0: rx_buf_maxsize not set, set to 2048
May 2 20:43:05 (none) user.info kernel: [112918.930692] 985.250308 [2290] netma p_do_regif spq{0: lut ffffc90000359000 bufs 10242 size 2048
May 2 20:43:05 (none) user.info kernel: [112918.930760] nfnetmap_queue successf ully created instance 'spq{0' [buffer size:2048]
May 2 20:43:05 (none) user.info kernel: [112918.930898] 985.250519 [3619] netma p_attach_common spq{1: rx_buf_maxsize not set, set to 2048
May 2 20:43:05 (none) user.info kernel: [112918.930904] 985.250525 [2290] netma p_do_regif spq{1: lut ffffc90000359000 bufs 10242 size 2048
May 2 20:43:05 (none) user.info kernel: [112918.930956] nfnetmap_queue successf ully created instance 'spq{1' [buffer size:2048]
May 2 20:43:05 (none) user.err kernel: [112918.939118] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.info kernel: [112918.941651] ustk: Opened the mmap d ev
May 2 20:43:05 (none) user.info kernel: [112918.941657] ustk: MMAP of size 1073 745920
May 2 20:43:05 (none) user.err kernel: [112918.949775] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.info kernel: [112918.952577] ustk: Opened the mmap d ev
May 2 20:43:05 (none) user.info kernel: [112918.952585] ustk: MMAP of size 1073 745920
May 2 20:43:05 (none) daemon.notice snort[2228]: netmap daq initialized success fully.....
May 2 20:43:05 (none) daemon.notice snort[2227]: netmap daq initialized success fully.....
May 2 20:43:05 (none) daemon.notice snort[2228]: nmsp daq initialized successfu lly.....
May 2 20:43:05 (none) daemon.notice snort[2227]: nmsp daq initialized successfu lly.....
May 2 20:43:05 (none) daemon.notice snort[2227]: SSL daq initialized successful ly.....
May 2 20:43:05 (none) daemon.notice snort[2228]: SSL daq initialized successful ly.....
May 2 20:43:05 (none) daemon.notice snort[2227]: LWP daq initialized successful ly.....
May 2 20:43:05 (none) daemon.notice snort[2228]: LWP daq initialized successful ly.....
May 2 20:43:06 (none) user.info kernel: [112920.614278] 986.933876 [2290] netma p_do_regif vale0:host1: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:43:06 (none) user.info kernel: [112920.614282] 986.933885 [2313] netma p_do_regif vale0:host1: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:43:06 (none) user.info kernel: [112920.614832] 986.934430 [2290] netma p_do_regif vale0:host0: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:43:06 (none) user.info kernel: [112920.614836] 986.934440 [2313] netma p_do_regif vale0:host0: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:43:06 (none) user.info kernel: [112920.615516] 986.935118 [2290] netma p_do_regif spq}1: lut ffffc90000359000 bufs 10242 size 2048
May 2 20:43:07 (none) user.err kernel: [112920.735694] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:07 (none) user.err kernel: [112920.755667] 1028:appdev_vma_close:si ze 2031616
May 2 20:43:07 (none) user.err kernel: [112920.883372] nf_conntrack_ipslb : loa ded with q_start 0 q_end 1 lb_algo(0: Round Robin, 1: CPU fan-out) 0
May 2 20:43:16 (none) auth.info cish: Session closed from console

I started to ping 8.8.8.8 at 20h40, then enabled firewall-acceleration at 20h41, and ping timed out when I had the message "system firewall-acceleration enabled successfully".

I recreateded my SD-WAN rules for each firewall rule I have to correspond of what I had on v17 (some source IP to some dst IP with some ports from this gateway etc...)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to VikenNajarian

Can you show us your route precedence?

http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to LuCar Toni

console> system route_precedence show
Routing Precedence:
1. Static routes
2. VPN routes
3. SD-WAN policy routes
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 VikenNajarian over 5 years ago in reply to LuCar Toni

console> system route_precedence show
Routing Precedence:
1. Static routes
2. VPN routes
3. SD-WAN policy routes
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JasP over 5 years ago in reply to VikenNajarian

Does "system firewall-acceleration disable" persist after a reboot?

I believe I may have a similar issue on my home network. I run some network monitoring software that monitors systems external to my network. The XG sits between my LAN and my router. As part of the monitoring it pings the router and suspends all the monitoring if it can't ping the router. In the last couple of months I have had random times where the software can't ping the router so suspends all the monitoring. I have checked the server that the monitoring software is on and I can't ping the router manually from that server when I have the issue but I can ping the router from another server on my network (and any PC).

I haven't had the time to investigate this further but seeing this post I thought I would try disabling firewall acceleration. I didn't used to have this problem but I used to run the XG as a Hyper-V software image which doesn't support firewall accleration. More recently I have moved to a second hand 430 with a software image which does support firewall acceleration and I believe this may coincide with when I started having the issue.
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 5 years ago in reply to JasP

Hello,

Yes it persists after a reboot.

Regards
Cancel
Vote Up 0 Vote Down

Cancel