https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178451#M32691 <P>Hi</P><P>We have 2 R81.10 appliances in 2 separate sites, connected over our WAN. Behind each firewall, there is a wireless controller. The 2 wireless controllers are configured to connect to each other via Gre tunnels. However, the gre tunnel is not getting established between these 2 controllers. Each controller also have other gre tunnels to other wireless controllers at other sites on the WAN, which are established and working. It appears it is only the gre traffic between the 2 main controllers that is getting dropped at each firewall.&nbsp;</P><P>If I run tcpdump, I can see the traffic coming in to the interface but not going out. If I run fw ctl zdebug drop I get the message&nbsp;</P><P>"dropped by fw_handle_old_conn_recovery Reason: Other protocol packet that belongs to an old connection"&nbsp;</P><P>I'm unable to find much information on this particular message. Has anyone any ideas what it could point to and how I troubleshoot this? Any reason why some gre traffic goes through and other traffic is dropped?</P><P>Many Thanks<BR />Roy</P> Wed, 19 Apr 2023 08:26:45 GMT Roy_Smith 2023-04-19T08:26:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178451#M32691 <P>Hi</P><P>We have 2 R81.10 appliances in 2 separate sites, connected over our WAN. Behind each firewall, there is a wireless controller. The 2 wireless controllers are configured to connect to each other via Gre tunnels. However, the gre tunnel is not getting established between these 2 controllers. Each controller also have other gre tunnels to other wireless controllers at other sites on the WAN, which are established and working. It appears it is only the gre traffic between the 2 main controllers that is getting dropped at each firewall.&nbsp;</P><P>If I run tcpdump, I can see the traffic coming in to the interface but not going out. If I run fw ctl zdebug drop I get the message&nbsp;</P><P>"dropped by fw_handle_old_conn_recovery Reason: Other protocol packet that belongs to an old connection"&nbsp;</P><P>I'm unable to find much information on this particular message. Has anyone any ideas what it could point to and how I troubleshoot this? Any reason why some gre traffic goes through and other traffic is dropped?</P><P>Many Thanks<BR />Roy</P> Wed, 19 Apr 2023 08:26:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178451#M32691 Roy_Smith 2023-04-19T08:26:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178480#M32695 <P>sk121933 talks to a similar drop reason for UDP traffic flows.</P> <P>Can I confirm your connect persistence settings, are they set to keep or rematch?</P> <P>Is the issue always present or only after someone performs a policy installation for the intermediate gateway?</P> Wed, 19 Apr 2023 14:02:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178480#M32695 Chris_Atkinson 2023-04-19T14:02:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178570#M32706 <P>Chris</P><P>Thanks for that. I initially went through the sk article but did not see any difference. I decided to go through the clear connections steps on both gateways and that appears to have resolved the issue.&nbsp;</P><P>Thanks<BR />Roy</P> Thu, 20 Apr 2023 07:07:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gre-Tunnel-traffic-being-dropped/m-p/178570#M32706 Roy_Smith 2023-04-20T07:07:32Z