Troubleshooting traffic rules
If a particular communication is broken (for example, your users cannot access the server example.com), your traffic rules may be blocking the communication. This article describes how to find packets dropped by a traffic rule and how to determine the traffic rule causing the problem.
Detecting IP addresses
Before you start, you must find out the IP addressAn identifier assigned to devices connected to a TCP/IP network. of dropped packets. You can use, for example, the DNSDomain Name System - A database enables the translation of hostnames to IP addresses and provides other domain related information. Lookup tool in Kerio Control:
- In the administration interface, go to Status > IP Tools.
- On the DNS Lookup tab, type the name of the server you cannot reach (
example.com
). - Click Start.
- If the server name has a DNS record, you can see the IP address of the server in the Command output section.
Now you have two options for discovering the traffic rule blocking the server:
- Look for dropped packets in the Debug log.
- Test the rules in the Traffic Rules section.
Looking for dropped packets
Once you know the IP address, switch to the Debug log:
- In the administration interface, go to Logs > Debug.
- Right-click the Debug window.
- In the context menu, click Messages.
- In the Filtering section, select Packets dropped for some reason.
- In the Debug log, find the dropped packets using the IP address of the server.
Example:
[22/Dec/2015 15:32:40] {pktdrop} packet dropped: Traffic rule: Example traffic rule (to WANWide area network - A network that connects computers and other devices in a large area., proto:ICMP, len:84, 212.212.62.103 > 69.172.201.208, type:8 code:0 id:12380 seq:1 ttl:64)
This tells you the following:
Log Text | Description |
---|---|
[22/Dec/2015 15:32:40]
|
Date and time of the dropped packet |
{pktdrop}
|
All packets caught by the Packets dropped for some reason message |
packet dropped: Traffic rule: Example traffic rule
|
Reason Kerio Control dropped the packet: The cause is Traffic rule and Kerio Control adds the name of the rule |
212.212.62.103 > 69.172.201.208
|
Source and target IP addresses |
Testing traffic rules
The Test Rules feature shows all rules that match a particular packet description.
- In the administration interface, go to Traffic Rules.
- Click the Test Rules button.
- Type the source IP address of your firewall (
212.212.62.103
in the example). - Type the destination IP address of the server you cannot access (
69.172.201.208
in the example).
- Click OK.
- The traffic rules list displays only rules matching the packet description. You can identify the corrupt rule and fix it.
- After fixing the rule, click the Restore View button.
Now, you can again see all traffic rules.