Create a Post
Showing results for 
Search instead for 
Did you mean: 

Unable Access Two Websites

Strange situation with a couple websites.  ( and

We have an HA cluster of 15600s R80.10, all other internet traffic works fine just the above two sites fail to load and timeout, logs show no drops.

All internet traffic is hidden with manual NAT rule behind the VIP of the cluster.  If I NAT traffic behind another of our  external IP addresses the pages load fine.  

I'm guessing it has something to do with the VIP of the cluster but can't seem to find where the issue is.

I have checked and we are not using VMAC with the cluster.

It's strange as these two sites seem to be just login portals and I've not heard from users of any other site experiencing anything like this.




0 Kudos
3 Replies

Have you compared tcpdump output between the "working" and "not working" configuration?
Perhaps there is some clue there.
0 Kudos

Hi Jason

Are the test IPs from a different subnet to the VIP or the same?

Perhaps the far end is imposing some IP based restrictions -or- there is a problem with the return route...

fw monitor or tcpdump may give you some further insight I.e. confirm if there is any reply traffic.




0 Kudos

Does it make a difference if you try and let it redirect into https, or go HTTPS directly with in the browser URL bar?  Also I assume using different browser types (i.e. Firefox vs. Chrome) doesn't make a difference?

There are some firewall drop events that won't generate a usual log entry, to find those run fw ctl zdebug drop then try to access those two sites through the cluster hide NAT.

Next step since you are on R80.10, is to try disabling SecureXL with fwaccel off then try to access the websites again.  Be sure to turn SecureXL back on with fwaccel on when done.  Not likely to help but worth a try.

There could be a stability/setup problem with your cluster which is why moving it to an arbitrary hide address makes it work, try gracefully powering off the standby member, then see if the reachability of those two websites changes while there is only a "cluster of one".

Failing those, next step as was mentioned earlier is a packet capture using tcpdump.


Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at
0 Kudos