https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128268#M18675 <P>ICMP is never accelerated by SecureXL and always goes F2F, so disabling SecureXL shouldn't have any effect on this issue.&nbsp; I'm assuming this has something to do with Smart Connection Reuse, although it isn't employed for non-TCP connections/sessions, at least to my knowledge:&nbsp;&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk24960&amp;partition=Advanced&amp;product=Quantum" target="_blank" rel="noopener">sk24960: "Smart Connection Reuse" feature modifies some SYN packets</A></P> Fri, 27 Aug 2021 23:14:13 GMT Timothy_Hall 2021-08-27T23:14:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128231#M18665 <P>Hi Team, This is R80.20 and my packets are getting dropped with below error which I captured using fw ctl zdebug. There is a PBR configured on firewall for source IP x.x.x.x for Internet as destination.</P><P>Surprisingly web traffic works fine however only ICMP is getting dropped. Any reason&nbsp; why? I tried searching through lot of SKs however none of them was pinpoint to the below error neither any one has worked</P><P>&nbsp;</P><P>@;3779257712;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -&gt; 8.8.8.8:63298 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;<BR />@;3779396743;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -&gt; 8.8.8.8:63297 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;<BR />@;3779497504;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -&gt; 8.8.8.8:63296 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;<BR />@;3779590799;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -&gt; 8.8.8.8:63295 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 27 Aug 2021 12:07:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128231#M18665 Blason_R 2021-08-27T12:07:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128232#M18666 <P>I had seen this before be caused by securexl. If you disable it and it works, then below would apply.</P> <P><SPAN>Permanently set the value of kernel parameter&nbsp;</SPAN><STRONG><CODE>fwconn_set_esp_after_nat_links</CODE></STRONG><SPAN>&nbsp;to&nbsp;</SPAN><STRONG>1</STRONG><SPAN>&nbsp;(one) - follow&nbsp;</SPAN><A href="http://supportcontent.checkpoint.com/solutions?id=sk26202" target="_blank" rel="noopener">sk26202 (Changing the kernel global parameters for Check Point Security Gateway)</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Andy</SPAN></P> Fri, 27 Aug 2021 12:11:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128232#M18666 the_rock 2021-08-27T12:11:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128233#M18667 <P>Yeah initially I thought so hence I had disabled securexl as well however it did not work. fwaccel off is the only thing that I need to do?</P> Fri, 27 Aug 2021 12:19:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128233#M18667 Blason_R 2021-08-27T12:19:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128234#M18668 <P>Thats all I found, sorry brother.</P> Fri, 27 Aug 2021 12:40:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128234#M18668 the_rock 2021-08-27T12:40:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128268#M18675 <P>ICMP is never accelerated by SecureXL and always goes F2F, so disabling SecureXL shouldn't have any effect on this issue.&nbsp; I'm assuming this has something to do with Smart Connection Reuse, although it isn't employed for non-TCP connections/sessions, at least to my knowledge:&nbsp;&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk24960&amp;partition=Advanced&amp;product=Quantum" target="_blank" rel="noopener">sk24960: "Smart Connection Reuse" feature modifies some SYN packets</A></P> Fri, 27 Aug 2021 23:14:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128268#M18675 Timothy_Hall 2021-08-27T23:14:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128269#M18676 <P>True true...I remember having to do that sk once before when customer upgraded from R80.20 to R80.30, but never related to errors in the post.</P> Fri, 27 Aug 2021 23:07:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128269#M18676 the_rock 2021-08-27T23:07:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128405#M18702 <P>Any way I now removed the PBR and it started working fine.</P><P>&nbsp;</P> Tue, 31 Aug 2021 05:07:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/What-could-be-the-reason-behind-this-drop/m-p/128405#M18702 Blason_R 2021-08-31T05:07:27Z