| Home Prev |  InControl 4.00.01 Administration Guide
|
Next |
|---|
If there are initial problems with communication between a firewall and InControl then this section outlines a number of possible problems.
1. Check Communication Between InControl Client and Server
Remember that the InControl client communicates with the InControl server which then communicates with the firewall. This section assumes they are initially running on the same PC. If they are on different computers then the client will indicate if it can't communicate with the server.The remaining points in this list assume that the client and server are communicating and relate to the communication between the server and firewalls.
2. Check IP addresses
Make all the correct IP addresses have been entered for the firewall.3. Check InControl communication isn't blocked
Make sure another device in the network isn't blocking TCP port 999. This port is used by InControl to communicate with firewalls.4. Check connections with Ping
ICMP Ping can be used to check communications to firewalls.Try pinging the firewall from the InControl client computer. This will only work if an IP rule set entry has already been defined in the firewall configuration that allows ICMP.
Try pinging a host on the management network from the local console on the firewall by using the serial cable.
5. Check management interface connections
There may be a physical connection problem:Check the link indicators of the network interface you have selected as the management interface. If there is no link indication, there might be a cable problem.
Is the firewall directly connected to a router or another host? In this case, an "X-Ethernet" cable will be needed to connect the firewall to that unit. Using the wrong cable type may result in the link indicators indicating link failure.
6. Routing problems
Look for routing problems:If the connection to the firewall is via a router, is the default gateway setting correct in both the firewall and InControl?
7. CLI Diagnostics
Should none of the above be of any assistance, check the statistics information for the management interface by issuing the CLI command ifstat on the firewall console. This could be done remotely using a Secure Shell (SSH) connection or on a console connected directly the hardware's RS232 port.Device:/> ifstat <if-name>This will display a number of counters for the network interface and these are divided into two sections, one for hardware and one for software. To observe the interface behavior, repeatedly issue the ifstat command.
If the Input counters of the hardware section are not increasing, then the error is likely to be in the cables. However, it may simply be the case that the packets aren't getting to the firewall in the first place. This can be verified by attaching a packet sniffer to the network in question.
If the Input counters of both the hardware and software sections of the ifstat output are increasing, then the interfaces may be attached to the wrong physical networks. There may alternatively be a problem with the routing specified in the connected hosts or routers.
Another test can be performed by running the command arpsnoop on the firewall console. It will dump ARP packets heard on selected interfaces. Arpsnoop is a convenient method of verifying that the correct cables are attached to the correct interfaces.
Device:/> arpsnoop -all
ARP snooping active on interfaces: if1 if2 if3 if4
ARP on if2: gw-world requesting ip_if2
ARP on if1: 192.168.1.5 requesting ip_if1