Phone Lines icon GFI Support Home

Articles in this section

See more

Packets being Dropped Sporadically

Author: Sanket Ghia Updated

Overview

Some HTTP requests arrive and some drop for an HTTP service published on a TCP port (eg: 8089). The ones that don't pass through are logged as DROP in the Filter log along with the Traffic rule's name due to which it was dropped. However, this Traffic rule is actually defined to accept this traffic, thus making the reason unclear for the drop of these packets.

To further identify this issue, the Packets dropped for some reason option in the Debug log is enabled. After the issue is seen again, the below GeoIP filter drop reason for the dropped HTTP packets is seen in the Debug log:

[19/Feb/2021 13:25:14] {pktdrop} packet dropped: GeoIP filter drop (from WAN, proto:TCP,
len:60, vvv.xxx.yyy.zzz:nnnnn -> aaa.bbb.ccc.ddd:8089, flags:[ SYN ], seq:822508039 ack:0,
win:33600, tcplen:0)

 

Solution

The IP address vvv.xxx.yyy.zzz seen in the Debug log can be searched on a 3rd-party site to know it's country. The country to which this IP address belongs is not on your list of excluded/blocked countries in Kerio Control and so, the traffic should be specifically allowed from this IP address - country pair.

Kerio Control's local GeoIP database (which stores the IP address - country pairs) can sometimes miscategorize IP addresses and countries. So, the GeoIP database on Kerio Control's end should be updated to allow traffic from this IP address - country pair using the below steps:

  1. SSH into your Kerio Control appliance.
  2. Open the /opt/kerio/winroute/geoip.csv file using an editor like nano or vi.
  3. Search for the country to which the IP address vvv.xxx.yyy.zzz belongs and note the code for the same. Eg: If the country searched is Belgium, then, the entry in the file will be 2802361,en,EU,Europe,BE,Belgium. The 2802361 code should be noted.
  4. Exit the editor.
  5. Follow the steps shown in the Manually Updating GeoIP Database article. In step 3 of the article, create an entry <IP address>/32,<code found in step 3>. An example of the IP address entry with the country code for Belgium: vvv.xxx.yyy.zzz/32,2802361.

The above steps can be repeated for any other IP address - country code pairs if more such IP addresses are found from where the packets are getting dropped.

 

Testing

There should be no more packets dropped for the HTTP service on the TCP port.

In case packets are still being dropped for this service, then follow the below steps to collect information for troubleshooting purposes for our Support team:

  1. Login to Kerio Control web administration interface.
  2. Go to Logs > Debug.
  3. Right-click on the log-panel and select Messages
  4. Enable only Packets dropped for some reason and GeoIP and click OK.
  5. Right-click on the log-panel and select Clear Log.
  6. Go to Logs > Filter.
  7. Right-click on the log-panel and select Clear Log.
  8. Reproduce the issue.

Open a support ticket with us with the below information from the web administration interface and attach it with the ticket:

  1. Download the Debug log file:
    1. Go to Logs > Debug.
    2. Right-click on the log panel and select Save Log.
    3. Select Plain text, Full file, and click OK.
  2. Download the Filter log file:
    1. Go to Logs > Filter.
    2. Right-click on the log panel and select Save Log.
    3. Select Plain text, Full file, and click OK.
  3. Download the Support Information file from Status > System Health > Support information.
  4. Screenshot of all the Traffic rules from Configuration > Traffic Rules.
  5. Screenshot of the output of testing of Traffic rules for the IP address/es for which the packets are dropped. The steps for this testing can be found in the Testing traffic rules section of the Troubleshooting Traffic Rules in Kerio Control article.

Related articles