Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Gateway address / webtraffic intermittantly accessable from 1 subsite

    Posted 11-23-2020 07:41
    Hi All,

    Got an issue that i cant wrap my head around. We have 1 Head office and 3 subsites connected as hub+spoke via MPLS links. 

    One of the sites is having intermittant traffic where they can intermittantly get internet access - lets call this Site X

    Network Path from sub-sites 

    Endpoint ---> CPE SRX PB-Mode --- > MPLS Core ----> HO SRX PB-Mode--> Checkpoint FW ----> ISP SRX PB Mode ----> ISP Core ----> INTERNET

    What i am seeing from the subsite is that the ISP SRX Gateway IP address is intermittantly responding to Site X but the other subsite and HO can get out just fine/always responds.

    When Site X has internet access, the gateway is responding. When Site X doesnt have internet access, the ISP Gateway IP is not responding. Throughout the whole time, the path to HO is present and responding. As well as this the other sites have internet access without issues.

    I've reviewed the routing from the site CPE all the way through to our ISP core (apart from the checkpoint as we dont manage) and all the routing is correct.

    I've been looking at this one for a few weeks now and alot of the time was spent confirming to the end client that this wasnt a fragmentation issue

    My current thoughts are:

    - IP connfliction
    - Checkpoint firewall issues

    Any thoughts would be of great help as im starting to struggle with this one

    Cheers!
    Alex


  • 2.  RE: Gateway address / webtraffic intermittantly accessable from 1 subsite

    Posted 11-24-2020 05:47
    Edited by E.KH 11-24-2020 05:48

    Hi Alex,

    is there any IP address that is involved in routing on Checkpoint FW? While the issue observed, if trace result failed on that address it's mostly looks like something wrong on Checkpoint side. Also when you checking connectivity, do you receive ICMP Destination unreachable message or packets being dropped silently?

    If you receive ICMP Destination unreachable message, from the packet itself based on the Code value you can identify the problem:

    0: Net unreachable - destination net unreachable message is one which a user would usually get from the gateway when it doesn't know how to get to a particular network.
    1: Host unreachable - destination host unreachable message is one which a user would usually get from the remote gateway when the destination host is unreachable.

    2: Protocol unreachable
    3: Port unreachable
    If, in the destination host, the IP module cannot deliver the packet because the indicated protocol module or process port is not active, the destination host may send an ICMP destination protocol / port unreachable message to the source host.

    4: Fragmentation needed and DF set
    5: Source route failed
    In another case, when a packet received must be fragmented to be forwarded by a gateway but the "Don't Fragment" flag (DF) is on, the gateway must discard the packet and send an ICMP destination fragmentation needed and DF set unreachable message to the source host.

    These ICMP messages are most useful when trying to troubleshoot a network. You can check to see if all routers and gateways are configured properly and have their routing tables updated and synchronised.

    If packets being dropped silently it's mostly depends on some Firewall action, so possibly Checkpoint FW in your case.

    As an additional step, you can perform some traceroute monitoring to capture the path while the network is in normal state and while the issue observed to see how things are being changed.



    ------------------------------
    Regards,
    Elchin
    ------------------------------



  • 3.  RE: Gateway address / webtraffic intermittantly accessable from 1 subsite

    Posted 11-24-2020 06:56
    Thanks for this - I am going to ask the end user to set-up traces on their firewall 

    I've got traces running on our breakout SRX however we will only see the public IP post NAT

    Ill revert back if with more details

    Cheers!