Phone Lines icon GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioControl
  2. KerioControl - Traffic Rules
  3. Articles

Troubleshooting Traffic Rules in Kerio Control

Overview

If a particular communication is broken, for example, your users cannot access the server example.com, your traffic rules may be blocking the communication. This article describes how to find packets dropped by a traffic rule and how to determine the traffic rule causing the problem.

 

Solution

Detecting IP addresses

Before you start, you must find out the IP address of dropped packets. You can use, for example, the DNS (Domain Name System) Lookup tool in Kerio Control:

  1. In the administration interface, go to Status > IP Tools.
  2. On the DNS Lookup tab, type the name of the server you cannot reach (example.com).
  3. Click Start.
  4. If the server name has a DNS record, you can see the IP address of the server in the Command output section.

 

Now you have two options for discovering the traffic rule blocking the server:

  1. Look for dropped packets in the Debug log.
  2. Test the rules in the Traffic Rules section.

Looking for dropped packets

Once you know the IP address, enable Packets dropped for some reason in Debug logs.

Example: 

[22/Sep/2020 15:32:40] {pktdrop} packet dropped: Traffic rule: Example traffic rule (to WAN, proto:ICMP, len:84, 1.1.1.1 > 2.2.2.2, type:8 code:0 id:12380 seq:1 ttl:64)

This indicates the following:

Log Text

Description

[22/Sep/2020 15:32:40]

Date and time of the dropped packet

{pktdrop}

All packets caught by the Packets dropped for some reason message

packet dropped: Traffic rule: Example traffic rule

Reason Kerio Control dropped the packet: The cause is the Traffic rule and Kerio Control adds the name of the rule

1.1.1.1 > 2.2.2.2

Source and target IP addresses

 

Testing traffic rules

The Test Rules feature shows all rules that match a particular packet description.

a. In the administration interface, go to Traffic Rules.

b. Click the Test Rules button.

c. Type the source IP address of your firewall (i.e. 1.1.1.1).

d. Type the destination IP address of the server you cannot access (i.e. 2.2.2.2).
img42-mod.png

e. Click OK.

f. The traffic rules list displays only rules matching the packet description. You can identify the corrupt rule and fix it.

img43-mod.png

g. After fixing the rule, click the Restore View button.

 

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments