This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2019-09-15 12:31 AM
Jump to solution

ICMP reply does not match a previous request

Hello friends,

I have multicast topology like this:

Router1(receiver multicast)------>Checkpoint R80------->Router2-----Router3(Multicast sender)

All devices run PIM-SM mode.

On router1: I join group 239.9.9.9

On router2: ping to 239.9.9.9

Result: Not success

I check log on firewall and see that this error

multicast.png

 

Please help me

Thanks a alot!!

 

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-15 02:49 AM
Jump to solution

If SmartView Tracker shows that ICMP packets are dropped with "message_info: ICMP reply does not match a previous request" log.
 
This drop is related to stateful inspection of ICMP. Due to a mismatch between the ID of ICMP Reply and the ID of the original recorded ICMP Request, Security Gateway will not find the original ICMP Request in the Connections table (id 8158) and will drop this ICMP Reply packet as out-of-state.
 
Try to find out why the replying device (or what forwarding device) is changing the ID in the ICMP Reply packet.
 

As an immediate solution or workaround, disable the Stateful Inspection for ICMP to allow this traffic:

  1. In SmartDashboard, go to the Policy menu - click on the Global Properties....

  2. In the left tree, click on the Stateful Inspection.

  3. Clear the box "Drop out of state ICMP packets" - click on OK

  4. Install Policy

Note: Disabling the Stateful Inspection will lower the security. This should be done with caution and only as the last resort.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-15 02:49 AM
Jump to solution

If SmartView Tracker shows that ICMP packets are dropped with "message_info: ICMP reply does not match a previous request" log.
 
This drop is related to stateful inspection of ICMP. Due to a mismatch between the ID of ICMP Reply and the ID of the original recorded ICMP Request, Security Gateway will not find the original ICMP Request in the Connections table (id 8158) and will drop this ICMP Reply packet as out-of-state.
 
Try to find out why the replying device (or what forwarding device) is changing the ID in the ICMP Reply packet.
 

As an immediate solution or workaround, disable the Stateful Inspection for ICMP to allow this traffic:

  1. In SmartDashboard, go to the Policy menu - click on the Global Properties....

  2. In the left tree, click on the Stateful Inspection.

  3. Clear the box "Drop out of state ICMP packets" - click on OK

  4. Install Policy

Note: Disabling the Stateful Inspection will lower the security. This should be done with caution and only as the last resort.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
minhhaivietnam
Collaborator
‎2019-09-15 03:15 AM
In response to HeikoAnkenbrand
Jump to solution

Tks heiko a lot.

I do as your comment, ping now is OK,

one more question: if I set static NAT on firewall: IP router1-->translate to a.b.c.d

, when router1(multicast receiver) send "IGMP join" packet through firewall, I see that static nat does not work ( the source IP is not translated to a.b.c.d)

so i think checkpoint not support nat in multicast? Is this true

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top