https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147003#M6769 <P>To confirm is the DHCP traffic specifically allowed in your policy and which objects were used here?</P> Mon, 25 Apr 2022 15:20:59 GMT Chris_Atkinson 2022-04-25T15:20:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/146670#M6766 <P>Hi,</P><P>we use a Quantum Edge VNF on a VMWare SD WAN Edge. Everything seems to work. However, the broadcasts no longer arrive at the IP Helper.</P><P>In the log we found this:<BR />fwconn_ent_early_expiration: [now=1649416396] conn &lt;dir 1, 0.0.0.0:68 -&gt; 255.255.255.255:67 IPP 17&gt; reached early expiration;<BR />fwconn_ent_eligible_for_del : conn &lt;dir 1, 0.0.0.0:68 -&gt; 255.255.255.255:67 IPP 17&gt; is eligible for deletion;</P><P>Does anyone have an explanation for this?</P> Thu, 21 Apr 2022 07:33:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/146670#M6766 HolgerHartwig 2022-04-21T07:33:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/146987#M6767 <P>Hi - Is R80.20.35 used here or another/earlier version?</P> Mon, 25 Apr 2022 14:13:57 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/146987#M6767 Chris_Atkinson 2022-04-25T14:13:57Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/146989#M6768 <P>Hi Chris,<BR />we use R80.20.35 (992002577), we have also tried R80.20.15 but with the same problem.</P> Mon, 25 Apr 2022 14:28:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/146989#M6768 HolgerHartwig 2022-04-25T14:28:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147003#M6769 <P>To confirm is the DHCP traffic specifically allowed in your policy and which objects were used here?</P> Mon, 25 Apr 2022 15:20:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147003#M6769 Chris_Atkinson 2022-04-25T15:20:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147041#M6773 <P>Hi Chris,</P><P>just checked with our customer: Yes, there is a matching rule for DHCP inbound and outbound. We also tried disabling the setting "Accept incoming traffic to DHCP and DNS services of gateways" but nothing changed.</P><P>As always the packets show as allowed but it is not working. After removing VNF it starts to work immediately.</P> Tue, 26 Apr 2022 07:40:15 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147041#M6773 HolgerHartwig 2022-04-26T07:40:15Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147052#M6774 <P>Understood, with reference to the below do the rules look like those in sk104114 or something different?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DHCP-Relay1810280226.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16184i8162F8F8FD28BAEC/image-size/large?v=v2&amp;px=999" role="button" title="DHCP-Relay1810280226.png" alt="DHCP-Relay1810280226.png" /></span></P> <P>If the problem persists there after please investigate further with assistance from TAC.</P> Tue, 26 Apr 2022 09:01:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147052#M6774 Chris_Atkinson 2022-04-26T09:01:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147130#M6775 <P>Good Morning Chris,</P><P>it turned out that there's a bug in VMWare's SD WAN Edge software.</P><P>Switching to an older version removes all problems.</P><P>VMWare is already working on it.</P><P>Thanks for your help!!!</P> Wed, 27 Apr 2022 06:55:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Broadcasts-on-Quantum-Edge-VNF/m-p/147130#M6775 HolgerHartwig 2022-04-27T06:55:12Z