Create a Post
Showing results for 
Search instead for 
Did you mean: 
Jump to solution

R80.20 MTU and SecureXL Problem


we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get  the ICMP Fragmentation Packet and start to send packets with smaller MTU.

When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.

We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.

Did anybody had the same problem?



35 Replies

Thx to Illya we received another hotfix (for the table not freeing up), running since 4 days without issue, i also put back the table size to 2000.

No i can see these kind of logs that i did not see before (meaining its actually freeing up the table).

@;676607171;[vs_2];[tid_3];[fw4_3];fwfrag_expires: IP fragment expiration reached, freeing cookies;

thx, keep you posted if the issue happen again, hope not.
0 Kudos

Great, thanks for the followup.


New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at
0 Kudos
i think that i can confirm that the issue was fixed by the patch :), thx all.
0 Kudos

Hello! In what Jumbo Hotfix Accumulator for R80.20 is the fix included? 

Take_103 GA 26 Aug 2019 or
Take_118 Latest 27 Oct 2019

BR, Kai

0 Kudos

Hi all,

A customer had this exact issue this week. He is running a cluster of 2 21400 with R80.20 JHF Take 91 (Distributed deployment). Deactivating SecureXL and increasing fragmented table size did not helped at all, we had to perform failovers.

We opened an SR with the TAC and pointed them to this thread asking for the fix, the assigned engenieer told us that it was included on JHF Take 118 even though is not specified in the release notes.

The issue did not repeeat after the installation of the mentioned take.

Employee Alumnus
Employee Alumnus

Fix exist since take 103 and it is documented in R80.20 SK:

 " In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway. "

0 Kudos