04-28-2023 07:10 AM
We have a virtual ftd which 5G tier when we access a server through it, it doesn't work especially database with ports(1521,7506) and file transfer connections(SFTP) doesn't work. We can telnet the server on those ports.
04-28-2023 07:15 AM
can you run packet tracer and share here for the three ports?
04-28-2023 07:24 AM
For port 1521
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.2.2.66 using egress ifc CDE(vrfid:0)
Phase: 3
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
Input route lookup returned ifc Inside is not same as existing ifc CDE
Result:
input-interface: CDE(vrfid:0)
input-status: up
input-line-status: up
output-interface: CDE(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed, Drop-location: frame 0x0000560e00654ba9 flow (NA)/NA
04-28-2023 07:25 AM
For port 1521
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.2.2.66 using egress ifc CDE(vrfid:0)
Phase: 3
Type: ECMP load balancing
Subtype:
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 10.2.2.17 using egress ifc Inside(vrfid:0)
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc Inside any ifc CDE any rule-id 268452909 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268452909: PREFILTER POLICY: SFFW_PREFILTER_POLICY
access-list CSM_FW_ACL_ remark rule-id 268452909: RULE: FROM_CDE
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class_map_tac-test-tcp
match access-list tac-test-tcp
policy-map policy_map_Inside
class class_map_tac-test-tcp
set connection conn-max 0 embryonic-conn-max 0 random-sequence-number disable syn-cookie-mss 1380
set connection advanced-options tcp-state-bypass
service-policy policy_map_Inside interface Inside
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect sqlnet
service-policy global_policy global
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class_map_tac-test-tcp
match access-list tac-test-tcp
policy-map policy_map_CDE
class class_map_tac-test-tcp
set connection conn-max 0 embryonic-conn-max 0 random-sequence-number disable syn-cookie-mss 1380
set connection advanced-options tcp-state-bypass
service-policy policy_map_CDE interface CDE
Additional Information:
Phase: 11
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1256391788, packet dispatched to next module
Phase: 15
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.2.2.66 using egress ifc CDE(vrfid:0)
Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.2.2.66 on interface CDE
Adjacency :Active
MAC address 0000.5e00.010a hits 3035877 reference 1988
Result:
input-interface: Inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: CDE(vrfid:0)
output-status: up
output-line-status: up
Action: allow
04-28-2023 07:28 AM
For port 22
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.2.2.17 using egress ifc Inside(vrfid:0)
Phase: 2
Type: ECMP load balancing
Subtype:
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 10.2.2.33 using egress ifc Outside(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Outside any ifc Inside any rule-id 268452898
access-list CSM_FW_ACL_ remark rule-id 268452898: ACCESS POLICY: DC-SFFW-POLICY - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268452898: L7 RULE: from_OUT_TO_INSIDE
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1256905417, packet dispatched to next module
Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 1200835807
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, 'from_OUT_TO_INSIDE' , allow
Snort id 1, NAP id 2, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
Phase: 14
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.2.2.17 using egress ifc Inside(vrfid:0)
Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.2.2.17 on interface Inside
Adjacency :Active
MAC address 0000.5e00.010a hits 62026061 reference 31466
Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
04-28-2023 07:29 AM
did you config any ECMP in FTD ? can I see your config ?
Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.2.2.66 using egress ifc CDE(vrfid:0)
Phase: 3
Type: ECMP load balancing
Subtype:
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 10.2.2.17 using egress ifc Inside(vrfid:0)
04-28-2023 07:33 AM
No I didn't
04-28-2023 07:36 AM
Input route lookup returned ifc Inside is not same as existing ifc CDE <<- this for packet tracer 1
Phase: 3 <<- this for packet tracer 2
Type: ECMP load balancing
Subtype:
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 10.2.2.17 using egress ifc Inside(vrfid:0)
there is routing issue here, it can from NAT.
04-28-2023 07:42 AM
Sorry Sir, I didn't configure load balancing or NAT which config information should I share?
04-28-2023 07:45 AM
04-28-2023 07:50 AM - edited 04-28-2023 08:38 AM
My Config
04-28-2023 08:09 AM
Sorry, I didn't figured it our I don't have any kind of nat configuration or where can I enable route-lookup?
04-28-2023 11:23 AM
I see your config before it remove'
The subnet are all in same major network 10.22.22.x
So only check the conflict between subnet also I see many many route ? Why ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide