Troubleshooting and Debugging Filter Exceptions
Novell Cool Solutions: Feature
Digg This -
Posted: 6 Sep 2002
Current version: BorderManager 3.7
Sometimes even after following filter exception TIDs or adding a pre-defined filter exception the Firewall is still blocking needed traffic from passing in or out of the Firewall. Here are some procedures that will help you get to the heart of the problem.
First step is to prove it is the filters. To remove the Firewall for testing UNLOAD IPFLT, UNLOAD IPXFLT, UNLOAD FILTSRV -- Then service the request if it still fails after unloading the Firewall it is NOT filters. Is the service listening on the destination host? Do you have IP connectivity to the destination host?
If the service works with the Filters/Firewall down then reload them and REINITIALIZE SYSTEM and proceed with the following debugging:
The following can be used to find out what ports are being blocked by the BorderManager Firewall. Put the following into a plain text editor like Notepad (don't use WordPad because it may put unwanted characters in the NCF file)
#INSTRUCTIONS: copy this NCF (Novell Control File) file to sys:system | then on the system #console prompt type: FILENAME.NCF | #IMPORTANT: initiate the service that is being blocked by the filter Firewall. unload conlog.nlm load conlog.nlm IPFLT_DEBUG_ON Set Filter Debug=on Set ip forward filter debug=1 Set TCP Forward Filter Debug=1 Set ICMP Forward Filter Debug=1 Set UDP Forward Filter Debug=1 Set ip Discard Filter Debug=1 Set TCP Discard Filter Debug=1 Set UDP Discard Filter Debug=1 #//UDP may cause utilization to go #up, so unless you need to troubleshoot that keep it commented out #You may not need all of the debugs from above. On a high traffic server only use the debugs you think you need #utilization may go up on the server #this NCF file will help you debug what ports are being blocked by the #filter Firewall #See document #after>http://support.novell.com/cgi-bin/search/tidfinder.cgi?10018659 #after you initiate the service that is being blocked by the filter #Firewall - unload conlog.nlm and search for "Discard" packets in #ETC\CONSOLE.LOG -then create filter exceptions for those services #TO TURN FILTER DEBUG OFF (YOUR SCREEN MAY FILL UP VERY FAST AND #UTILIZATION MAY GO UP) # SET FILTER DEBUG=OFF #OR #IPFLT_DEBUG_OFF
It is important to note if the service being blocked is INCOMING DISCARD or OUTGOING DISCARD traffic.
Another useful debug command is: SET TCP IP DEBUG=1 look for discards and reason codes in the log file. UNLOAD CONLOG | LOAD CONLOG, this will log the debug to the etc\console.log Once you have located a suspicious discard use TID To>http://support.novell.com/cgi-bin/search/tidfinder.cgi?10059473 To diagnose the discard problem.
For more information see TID 10061723
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com