Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
StackCap43382
Contributor

Possible SXL NAT Template Issue?

Hello,

We are observing the following log in /var/log/ increasing as increased traffic passes through the firewall.  

[fw4_2];fw_xlate_new_conn_from_template: invalid ifn. in_ifn = 15, out_ifn = -1

[fw4_1];fw_xlate_new_conn_from_template: invalid ifn. in_ifn = 15, out_ifn = -1

[fw4_3];fw_xlate_new_conn_from_template: invalid ifn. in_ifn = 15, out_ifn = -1

 

"-1" as a negative value indicates an invalid exit path interface and the traffic is being black-holed as a result. 

 

Am I right in thinking this is likely a SXL NAT Template issue? Cant find anything in the SKs regarding this specific error. 

It's an r80.10 HA deployment well behind in its patching. 

 

Anyone seen this before?

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

What does output of fwaccel stat show, are NAT Templates enabled?  They were not enabled by default in your release and I wouldn't recommend enabling on R80.10 especially without the latest Jumbo HFA, as there were numerous issues with NAT Templates (a sampling of the issues is below). That error looks like it is being reported by a firewall worker though and all NAT Templating operations were handled by sim/SecureXL in that version, so I'm not sure.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
StackCap43382
Contributor

Hi Tim,

I should have put this in the OP but yes someone has enabled NAT templates at some point. 

I also found it odd why the fw workers are complaining here.

This'll likely need to go to TAC but the response is going to be "Patch" which I've already said is required. 

I've just never seen that log entry before and it seems awfully strange. 

Also disabling NAT templates might be an issue as this appliance is generating hundreds of CUL messages a day and memory is threatening to creep into SWAP.

There is also table limits inherited from previous version upgrade which may be playing a part. All good fun.  

 

 

0 Kudos
Timothy_Hall
Champion
Champion

NAT Templates were not enabled by default until R80.20 when SecureXL got a serious overhaul.  I'd be leery of leaving NAT Templates enabled on versions R80.10 and earlier (even if patched) due to the very rough start that feature got.  NAT Templates do save CPU overhead on the Firewall Workers, so if you are getting CUL alerts it sounds like your firewall is pretty busy. 

Might be worth posting the "Super Seven" outputs from your active cluster member to see if some tuning would be helpful: S7PAC - Super Seven Performance Assessment Commands

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos