https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62794#M12719 <DIV>If SmartView Tracker shows that ICMP packets are dropped with "message_info: ICMP reply does not match a previous request" log.</DIV> <DIV>&nbsp;</DIV> <DIV>This drop is related to stateful inspection of ICMP. Due to a mismatch between the ID of ICMP Reply and the ID of the original recorded ICMP Request, Security Gateway will not find the original ICMP Request in the Connections table (id 8158) and will drop this ICMP Reply packet&nbsp;as out-of-state.</DIV> <DIV>&nbsp;</DIV> <DIV>Try to find out why the replying device (or what forwarding device) is changing the ID in the ICMP Reply packet.</DIV> <DIV>&nbsp;</DIV> <DIV> <P>As an immediate solution or workaround, disable the Stateful Inspection for ICMP to allow this traffic:</P> <OL> <LI> <P>In SmartDashboard, go to the&nbsp;Policy&nbsp;menu - click on the&nbsp;Global Properties....</P> </LI> <LI> <P>In the left tree, click on the&nbsp;Stateful Inspection.</P> </LI> <LI> <P>Clear the box "Drop out of state ICMP packets" - click on OK</P> </LI> <LI>Install Policy</LI> </OL> <P>Note: Disabling the Stateful Inspection will lower the security. This should be done with caution and only as the last resort.</P> </DIV> Sun, 15 Sep 2019 09:49:30 GMT HeikoAnkenbrand 2019-09-15T09:49:30Z https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62792#M12718 <P>Hello friends,</P><P>I have multicast topology like this:</P><P>Router1(receiver multicast)------&gt;Checkpoint R80-------&gt;Router2-----Router3(Multicast sender)</P><P>All devices run PIM-SM mode.</P><P>On router1: I join group 239.9.9.9</P><P>On router2: ping to 239.9.9.9</P><P>Result: Not success</P><P>I check log on firewall and see that this error</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="multicast.png" style="width: 802px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2531iF69A1D3BB0BBE231/image-size/large?v=v2&amp;px=999" role="button" title="multicast.png" alt="multicast.png" /></span></P><P>&nbsp;</P><P>Please help me</P><P>Thanks a alot!!</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 15 Sep 2019 07:31:43 GMT https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62792#M12718 minhhaivietnam 2019-09-15T07:31:43Z https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62794#M12719 <DIV>If SmartView Tracker shows that ICMP packets are dropped with "message_info: ICMP reply does not match a previous request" log.</DIV> <DIV>&nbsp;</DIV> <DIV>This drop is related to stateful inspection of ICMP. Due to a mismatch between the ID of ICMP Reply and the ID of the original recorded ICMP Request, Security Gateway will not find the original ICMP Request in the Connections table (id 8158) and will drop this ICMP Reply packet&nbsp;as out-of-state.</DIV> <DIV>&nbsp;</DIV> <DIV>Try to find out why the replying device (or what forwarding device) is changing the ID in the ICMP Reply packet.</DIV> <DIV>&nbsp;</DIV> <DIV> <P>As an immediate solution or workaround, disable the Stateful Inspection for ICMP to allow this traffic:</P> <OL> <LI> <P>In SmartDashboard, go to the&nbsp;Policy&nbsp;menu - click on the&nbsp;Global Properties....</P> </LI> <LI> <P>In the left tree, click on the&nbsp;Stateful Inspection.</P> </LI> <LI> <P>Clear the box "Drop out of state ICMP packets" - click on OK</P> </LI> <LI>Install Policy</LI> </OL> <P>Note: Disabling the Stateful Inspection will lower the security. This should be done with caution and only as the last resort.</P> </DIV> Sun, 15 Sep 2019 09:49:30 GMT https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62794#M12719 HeikoAnkenbrand 2019-09-15T09:49:30Z https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62795#M12720 <P>Tks heiko a lot.</P><P>I do as your comment, ping now is OK,</P><P>one more question: if I set static NAT on firewall: IP router1--&gt;translate to a.b.c.d</P><P>, when router1(multicast receiver) send "IGMP join" packet through firewall, I see that static nat does not work ( the source IP is not translated to a.b.c.d)</P><P>so i think checkpoint not support nat in multicast? Is this true</P><P>&nbsp;</P> Sun, 15 Sep 2019 10:15:07 GMT https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62795#M12720 minhhaivietnam 2019-09-15T10:15:07Z https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62823#M12732 Not supported.<BR />See: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk157854" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk157854</A> Mon, 16 Sep 2019 00:13:54 GMT https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/m-p/62823#M12732 PhoneBoy 2019-09-16T00:13:54Z