This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
okatsladz454
Contributor
a week ago

Loop prevention drops

Good afternoon.


We are faced with the following problem - some of the packets going to certain Internet addresses are dropped at the kernel level with an error (find it in zdebug + drop):

resume_inbound_from_vm_reinject: dropping packet of for vsid=0 due to loop prevention (nloops=4, pkt_type VM Reinject, prev state Lookup, next state Lookup, in flags 0x4). 

Gaia version: R82 take 44 Maestro (Any problems with distribution and asymmetric excluded)

There are two connections - intranet and extranet, both transmit routes via BGP.

The problem occurs only on a part of the connections and only to connections at certain white addresses. There are no problems with other connections that use the same access control policy rules and the same logic.


Questions:

1. What does loop prevention even mean? Does this apply to STP? Or to routing and loop protection in BGP? fwaccel stats -d showing huge amount of drops caused by Loop prevention

2. Any clues, how to fix this?

 

 






 

 

Preview file
271 KB
0 Kudos
13 Replies
the_rock
MVP Platinum
MVP Platinum
a week ago

I cant seem to open image you attached (this seems to be an issue with everyone lately, anything attached shows virus scan in progress...maybe @_Val_ or @PhoneBoy can comment on that part).

Now, as far as your issue...definitely STP can be related...is it enabled or not?

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to the_rock

Will check on the virus scan issue.

the_rock
MVP Platinum
MVP Platinum
a week ago
In response to PhoneBoy

Not a huge issue, but I did notice it for everyone whose attachments I tried opening last few days...

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to the_rock

Seems to be a known issue that is in the process of being addressed.

okatsladz454
Contributor
a week ago
In response to the_rock

Thanks for the reply. I don't think STP has any effect - if it did, then loop protection would occur on all traffic, and not just on a very specific one. I need to understand specifically what loop prevention generally refers to.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to okatsladz454

Usually, should be enabled.

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
a week ago

Are these drops for legitimate traffic flows or just something that you've observed?

How is the routing configured for the subnet in question on the Firewall and downstream device...

CCSM R77/R80/ELITE
0 Kudos
okatsladz454
Contributor
a week ago
In response to Chris_Atkinson

Good morning.

This directly affects the third party of VPN tunnels going through the firewall. Not all of them, just not a very large part, but we don't have an answer as to why these particular tunnels are affected and other are not. 

Routing is set up very simply - down (to the LAN of the organization) via BGP, up (to the provider) also via BGP, but using a public ASN.


0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to okatsladz454

Is there any difference with those tunnels? route or domain based?

Best,
Andy
0 Kudos
okatsladz454
Contributor
a week ago
In response to the_rock

I see no diffrence. 

They re all transit, check point just making a translation/ 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to okatsladz454

Might be worth TAC case then to check further.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to okatsladz454

Hey mate,

Were you able to make any progress with this?

Best,
Andy
0 Kudos
_Val_
Admin
Admin
a week ago

Please open a TAC request for this via https://help.checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events