Troubleshooting and Debugging Filter Exceptions

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 6 Sep 2002

Current version: BorderManager 3.7

Sometimes even after following filter exception TIDs or adding a pre-defined filter exception the Firewall is still blocking needed traffic from passing in or out of the Firewall. Here are some procedures that will help you get to the heart of the problem.

First step is to prove it is the filters. To remove the Firewall for testing UNLOAD IPFLT, UNLOAD IPXFLT, UNLOAD FILTSRV -- Then service the request if it still fails after unloading the Firewall it is NOT filters. Is the service listening on the destination host? Do you have IP connectivity to the destination host?

If the service works with the Filters/Firewall down then reload them and REINITIALIZE SYSTEM and proceed with the following debugging:

The following can be used to find out what ports are being blocked by the BorderManager Firewall. Put the following into a plain text editor like Notepad (don't use WordPad because it may put unwanted characters in the NCF file)

#INSTRUCTIONS: copy this NCF (Novell Control File) file to sys:system | 
then on the system
#console prompt type: FILENAME.NCF  | 
#IMPORTANT: initiate the service that is being 
blocked by the filter Firewall.

unload conlog.nlm
load conlog.nlm
Set Filter Debug=on
   Set ip forward filter debug=1
   Set TCP Forward Filter Debug=1
   Set ICMP Forward Filter Debug=1
   Set UDP Forward Filter Debug=1
   Set ip Discard Filter Debug=1
   Set TCP Discard Filter Debug=1
   Set UDP Discard Filter Debug=1   

#//UDP may cause utilization to go 
#up, so unless you need to troubleshoot that keep it commented out
#You may not need all of the debugs from above. On a high traffic 
server only use the debugs you think you need

#utilization may go up on the server
#this NCF file will help you debug what ports are being blocked 
by the #filter Firewall
#See document 

#after you initiate the service that is being blocked by the filter
#Firewall - unload conlog.nlm and search for "Discard" packets in
#ETC\CONSOLE.LOG -then create filter exceptions for those services


It is important to note if the service being blocked is INCOMING DISCARD or OUTGOING DISCARD traffic.

Another useful debug command is: SET TCP IP DEBUG=1 look for discards and reason codes in the log file. UNLOAD CONLOG | LOAD CONLOG, this will log the debug to the etc\console.log Once you have located a suspicious discard use TID To>http://support.novell.com/cgi-bin/search/tidfinder.cgi?10059473 To diagnose the discard problem.

For more information see TID 10061723

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus