Link to home
Create AccountLog in
Avatar of tlogicsupport
tlogicsupport

asked on

NAT ip packets dropping

we have a fairly complex setup. real estate office with 50 separate teams.
they share internet access and servers but 50 vlans with ACL's seperate the subnets.
one layer3 switch is the router, others are layer2.
everything working fine but new voip phone system can't send paging voice.
paging notification comes across which is handled by the server but then since no comms with
other vlans/subnets, no voice traffic to phones. had issues with ACL's,
so decided to put everything on VLAN1 for now. this fixed paging issue but of course team pc's
can see eachother now which is the least of my concerns.
 
the problem now is that randomly the NATed ip's on the firewall each pointing to a server
are dropping in and out all day long every few minutes randomly.
the external ip of the firewall is fine, other public non-NATed ip's are fine but the 6 NATed ip's we
have are dropping.

and we also have now a "storm" of netbios hits on the firewall. all gateways point to switch/router. static route on firewall
points vlan1 subnet to router, router's next hop is firewall LAN ip.
firewall logs showing netbios denies like crazy. not sure about broadcast/multicast issues or if routing is setup properly.
everything works, just NATed ip's drop in and out.

2011-03-30 22:14:24 Deny 192.168.2.170 192.168.1.1 netbios-ns/udp 137 137 1-Trusted Firebox denied 78 64 (Unhandled Internal Packet-00)    

can these firewall denies cause dropped packets that would kill inbound/outbound accses?
is there something i am missing for routing/broadcast config?
Avatar of tlogicsupport
tlogicsupport

ASKER

2011-03-30 23:25:59 System 7003  System detected,  failed to log in from console  proc_id="ma" time="Wed Mar 30 23:25:59 2011 (PST)" hostname="RegencyBackupFW.regency.com"


2011-03-30 23:27:13 Deny 192.168.2.161 63.251.254.131 http/tcp 4833 80 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 255 (internal policy)   tcpinfo="offset 5 R 0 win 0"

this is what is see when the connection drops
Avatar of dpk_wal
The logs you have posted are all normal; what I would be interested to see is if your IP addresses are getting auto-blocked and hence you see the problem.

When you hit the problem [public IP/server communication not happening]; in Firebox System Manager; go to Blocked sites lists and see the IP listed. If they are your IP then, in policy manager, check if this checkbox is checked; Policy Manager->Setup -> Default Threat Protection -> Default Packet Handling; Unhandled Packets; Auto-block source of packets not handled.

Another reason could be:
http://customers.watchguard.com/articles/Article/2920?retURL=%2Fapex%2FknowledgeHome&popup=false

If you are seeing too many port/ip scan/sweeps; you should consult your ISP and see if they can provide some protection to your network.

Please check and update.

Thank you.
thanks DPKWAL for your help.
when the inbound NATed ip's drop, all outbound access also drops. there is nothing in the blocked sites list and the aut-block box is not checked.

we have a public ip's on an external router, one on a second nic of a server and one on the firewall external interface. none of these three ever drop out. the only ip's that stop responding periodically are the NATed ip's on the WG firewall. when those drop, all outbound access is also dropped for about 5-10 seconds and then it comes back. completely random but i think it happens more often while there is network traffic and only every 3-4 hours at night.
Can you check when inbound traffic drops; is your box badly hit by sweeps/scans. Also, did you take a look at the link posted earlier.
ASKER CERTIFIED SOLUTION
Avatar of tlogicsupport
tlogicsupport

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thank you for the update.
realized the issue was router ip conflicts