This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-11-10 03:26 AM

SolarWinds Orion

Hi Mates!

The customer is experiencing intermittent ICMP DOWN  alert events reported by SolarWinds, i checked on the firewall site but i dont'see nothing realted, have any idea?
Orion polls ICMP every 3 minutes.

0 Kudos
26 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-10 04:14 AM

What address is being probed is there a VPN involved or is the gateway under load?

CCSM R77/R80/ELITE
0 Kudos
RemoteUser
Advisor
‎2025-11-10 04:46 AM
In response to Chris_Atkinson

Orion go out through a cluster, there is no VPN involved 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-10 04:49 AM
In response to RemoteUser

Hey brother,

Are there any relevant logs in Smart Console you can see about this?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2025-11-10 05:17 AM
In response to the_rock

the only thing that i see it is that:
dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-10 05:23 AM
In response to RemoteUser

https://support.checkpoint.com/results/sk/sk66443

https://community.checkpoint.com/t5/General-Topics/ICMP-reply-does-not-match-a-previous-request/td-p...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2025-11-10 05:31 AM
In response to the_rock

yeah brother, i know about that, but the main purpose it's to understand why it happens

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-10 05:32 AM
In response to RemoteUser

My most educated guess is assymetric routing. Thats what I always experienced, since R55 days.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-10 05:56 PM
In response to RemoteUser

Hey bro,

Just curious. when did this issue happen?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2025-11-10 10:42 PM
In response to the_rock

one month ago brother

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-11 04:46 AM
In response to RemoteUser

Can you find any relevant logs around that time that could potentially help us figure out why this may have happened?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-10 05:38 AM
In response to RemoteUser

Any aggressive aging active log messages or cluster failover events that correspond?

CCSM R77/R80/ELITE
0 Kudos
RemoteUser
Advisor
‎2025-11-10 10:42 PM
In response to Chris_Atkinson

I'm sorry, I don't understand your question.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-11 03:28 AM
In response to RemoteUser

Its aggressive aging protection, brother, check out below.

https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Shyy
Participant
‎2025-11-11 01:26 AM

Happened to me once due to asymetric routing,
I'd suggest to check the revisions and look at the changes that were probably made around the time the issue started.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-11 05:01 PM

Hey brother,

I did some more research on this and found some notes about this tool when I worked with one of our customers few years ago on some alerts and it turned out to be false positive. Can you check with the client if thats a possibility?

Best,
Andy
"Have a great day and if its not, change it"
genisis__
MVP Silver
MVP Silver
‎2025-11-12 01:03 AM

Is this just polling a standard gateway or VSX? 

Only issue I've seen is when you attempt to ping the cluster IP and a real IP on the node.

0 Kudos
RemoteUser
Advisor
‎2025-11-12 01:08 AM
In response to genisis__

standard gw, what you mean by the real IP

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-11-12 01:45 AM
In response to RemoteUser

If you are ping the cluster IP and the real IP it likely won't work on the active gateway (See SK26874),  I specifically experienced this on VSX, so may not be relevant.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-12 03:47 AM
In response to RemoteUser

But is it cluster or single gw?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 06:50 AM

Hey brother,

Any news about this?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2025-11-13 10:34 PM
In response to the_rock

hey brother,
seems to be Asymmetric routing

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-14 04:12 AM
In response to RemoteUser

Thats what we initially thought as well.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-11-16 06:37 AM
In response to RemoteUser

Did you resolve it then?

0 Kudos
RemoteUser
Advisor
‎2025-11-17 12:01 AM
In response to genisis__

nope not yet, what kind of actions do you usually take to determine whether the issue is caused by asymmetric routing?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-17 03:02 AM
In response to RemoteUser

Hey bro,

I would double check interface topology, if not sure, just set it per routing option, thats default anyway and recommended too. Now, obviously, goes without saying, dont make any changes if not sure, as it would break things.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-16 08:16 AM
In response to RemoteUser

Maybe do ip r g command to relevant IP address. Example ip r g 8.8.8.8

Best,
Andy
"Have a great day and if its not, change it"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events