This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-04-01 07:13 AM

SIP dropped by fw_post_vm_chain_handler Reason: Handler 'sip_manager' drop

Hi,
I'm struggling with this error: dropped by fw_post_vm_chain_handler. Reason: Handler 'sip_manager' drop; on the gateway.

The rule that allows traffic exists. Also, in the inspection information in the log, I see: illegal IP address, possible spoofing.

I've opened a case with support, but their response is slow...

Thank you

0 Kudos
14 Replies
RemoteUser
Advisor
‎2025-04-01 10:49 AM
In response to Tal_Paz-Fridman

Hello, thank you for your reply only I don't understand in what way you can think that this log I reported to you can be related to the sk you shared? in the logs I see from smartconsole it says illegal ip address, how can it be related to number of pending data connections?
Thank you very much for your answer, just to understand better.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-04-01 11:54 AM
In response to RemoteUser

I saw it was recommended to a customer that had a similar issue. 

To be sure ask about this option as well.

0 Kudos
the_rock
Legend
Legend
‎2025-04-01 11:58 AM
In response to RemoteUser

Hey mate,

I would also follow below.

Andy

https://support.checkpoint.com/results/sk/sk95369

0 Kudos
RemoteUser
Advisor
‎2025-04-01 12:03 PM
In response to the_rock

Hi Andy, I took a look, carefully here, to see if the error was reported in the log message:
Because it is a very strange log error (we have sip running over udp).

(14-2) SIP

Log MessagePossible CauseSuggested solutionIPS protection
NOTIFY message out of stateThis message can appear for numerous messages, not only for NOTIFY. It usually indicates a problem in the SIP state machine.Contact Check Point Support after you collect the relevant SIP debug. 
Violated unidirectional connectionTrying to use bi-directional SIP connections.In the rulebase, add the 'sip_dynamic_ports' service (located in the 'Other' group) to the corresponding SIP rule. 
Connection contains real IP of NATed addressA real IP address appeared instead of the NATed IP address.Contact Check Point Support after you collect the relevant SIP debug. 
Malformed SIP datagram, invalid SIP headersSecurity Gateway expected a certain field in the SIP packet, but the field is missing.Contact Check Point Support after you collect the relevant SIP debug. 
Enforcing major security - reinvents rejectedThe destination tries to reinvent a call.Disable the "Block the destination from re-inviting calls" setting in the relevant IPS profile.

Note: This setting prevents the destination from opening additional data connections with IP addresses that are not the same as the first data connection while a call is still active.

Follow these steps:

  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

  2. Connect to Security Management Server with GuiDBedit Tool.

  3. In the left upper pane, go to 'Table' - 'Managed Objects' - 'asm'.

  4. In the right upper pane, select the relevant IPS profile (Class Name = advanced_security).

  5. Press CTRL+F (or go to 'Search' menu - 'Find') - paste sip_enforce_security_reinvite - click on 'Find Next'.

  6. In the lower pane, right-click on the sip_enforce_security_reinvite - 'Edit...' - choose "false" - click on 'OK'.

  7. Save the changes: go to 'File' menu - click on 'Save All'.

  8. Close the GuiDBedit Tool.

  9. Connect to Security Management Server with SmartDashboard.

  10. Install the policy onto the relevant Security Gateway / Cluster object.
Reinvents exceeds the limitThe number of maximum allowed invitations per call has been exceeded.Increase the value of "Maximum invitations per call (from both directions)" in the IPS "SIP Protections" protection.'IPS' tab - Protections - By Protocol - Application Intelligence - VoIP - SIP - SIP Protections - select the relevant IPS Profile
0 Kudos
the_rock
Legend
Legend
‎2025-04-01 12:07 PM
In response to RemoteUser

You see the log in smart console being accepted?

Andy

0 Kudos
RemoteUser
Advisor
‎2025-04-01 12:13 PM
In response to the_rock

Traffic is dropped, BUT we see that traffic accepted to an IP of the same subnet in the rule created... is blocked from the source (illegal IP address), but the rule exists...

0 Kudos
the_rock
Legend
Legend
‎2025-04-01 12:19 PM
In response to RemoteUser

Try change service to use protocol none, or -

0 Kudos
RemoteUser
Advisor
‎2025-04-01 12:21 PM
In response to the_rock

the rule accpet this at the moment :

sip
icmp-proto
udp-5060-5080

0 Kudos
the_rock
Legend
Legend
‎2025-04-01 03:32 PM
In response to RemoteUser

Try sip like what I attached

Andy

Preview file
113 KB
0 Kudos
RemoteUser
Advisor
‎2025-04-02 02:11 AM
In response to the_rock

I tried to put only udp-5060 in the rule but the issue is because the trunk is not working because there are drops—drops from logs that identify certain IP addresses as illegal. 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-01 12:05 PM

Possible this SK might help: https://support.checkpoint.com/results/sk/sk120372 

RemoteUser
Advisor
‎2025-04-02 02:14 AM
In response to PhoneBoy

Remove the SIP service object(s) from the involved Application Layer "Accept" rule and install the policy.
We have not sip service object in application layer...

0 Kudos
the_rock
Legend
Legend
‎2025-04-02 03:41 AM
In response to RemoteUser

Technically, you would not even need it in that layer, since most people would apply blacklist approach, meaning any any allow at the end.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events