Overview
Some HTTP requests arrive and some drop for an HTTP service published on a TCP port (eg: 8089). The ones that don't pass through are logged as DROP
in the Filter log along with the Traffic rule's name due to which it was dropped. However, this Traffic rule is actually defined to accept this traffic, thus making the reason unclear for the drop of these packets.
To further identify this issue, the Packets dropped for some reason
option in the Debug log is enabled. After the issue is seen again, the below GeoIP filter drop
reason for the dropped HTTP packets is seen in the Debug log:
[19/Feb/2021 13:25:14] {pktdrop} packet dropped: GeoIP filter drop (from WAN, proto:TCP,
len:60, vvv.xxx.yyy.zzz:nnnnn -> aaa.bbb.ccc.ddd:8089, flags:[ SYN ], seq:822508039 ack:0,
win:33600, tcplen:0)
Solution
The IP address vvv.xxx.yyy.zzz
seen in the Debug log can be searched on a 3rd-party site to know it's country. The country to which this IP address belongs is not on your list of excluded/blocked countries in Kerio Control and so, the traffic should be specifically allowed from this IP address - country pair.
Kerio Control's local GeoIP database (which stores the IP address - country pairs) can sometimes miscategorize IP addresses and countries. So, the GeoIP database on Kerio Control's end should be updated to allow traffic from this IP address - country pair using the below steps:
- SSH into your Kerio Control appliance.
- Open the
/opt/kerio/winroute/geoip.csv
file using an editor likenano
orvi
. - Search for the country to which the IP address
vvv.xxx.yyy.zzz
belongs and note the code for the same. Eg: If the country searched is Belgium, then, the entry in the file will be2802361,en,EU,Europe,BE,Belgium
. The2802361
code should be noted. - Exit the editor.
- Follow the steps shown in the Manually Updating GeoIP Database article. In step 3 of the article, create an entry
<IP address>/32,<code found in step 3>
. An example of the IP address entry with the country code for Belgium:vvv.xxx.yyy.zzz/32,2802361
.
The above steps can be repeated for any other IP address - country code pairs if more such IP addresses are found from where the packets are getting dropped.
Testing
There should be no more packets dropped for the HTTP service on the TCP port.
In case packets are still being dropped for this service, then follow the below steps to collect information for troubleshooting purposes for our Support team:
- Login to Kerio Control web administration interface.
- Go to Logs > Debug.
- Right-click on the log-panel and select
Messages
- Enable only
Packets dropped for some reason
andGeoIP
and clickOK
. - Right-click on the log-panel and select
Clear Log
. - Go to Logs > Filter.
- Right-click on the log-panel and select
Clear Log
. - Reproduce the issue.
Open a support ticket with us with the below information from the web administration interface and attach it with the ticket:
- Download the Debug log file:
- Go to Logs > Debug.
- Right-click on the log panel and select
Save Log
. - Select
Plain text
,Full file
, and clickOK
.
- Download the Filter log file:
- Go to Logs > Filter.
- Right-click on the log panel and select
Save Log
. - Select
Plain text
,Full file
, and clickOK
.
- Download the Support Information file from Status > System Health > Support information.
- Screenshot of all the Traffic rules from Configuration > Traffic Rules.
- Screenshot of the output of testing of Traffic rules for the IP address/es for which the packets are dropped. The steps for this testing can be found in the
Testing traffic rules
section of the Troubleshooting Traffic Rules in Kerio Control article.