This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2021-08-27 05:07 AM

What could be the reason behind this drop?

Hi Team, This is R80.20 and my packets are getting dropped with below error which I captured using fw ctl zdebug. There is a PBR configured on firewall for source IP x.x.x.x for Internet as destination.

Surprisingly web traffic works fine however only ICMP is getting dropped. Any reason  why? I tried searching through lot of SKs however none of them was pinpoint to the below error neither any one has worked

 

@;3779257712;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63298 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;
@;3779396743;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63297 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;
@;3779497504;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63296 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;
@;3779590799;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63295 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2021-08-27 05:11 AM

I had seen this before be caused by securexl. If you disable it and it works, then below would apply.

Permanently set the value of kernel parameter fwconn_set_esp_after_nat_links to 1 (one) - follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

 

Andy

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-08-27 05:19 AM
In response to the_rock

Yeah initially I thought so hence I had disabled securexl as well however it did not work. fwaccel off is the only thing that I need to do?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-08-27 05:40 AM
In response to Blason_R

Thats all I found, sorry brother.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-08-27 04:04 PM

ICMP is never accelerated by SecureXL and always goes F2F, so disabling SecureXL shouldn't have any effect on this issue.  I'm assuming this has something to do with Smart Connection Reuse, although it isn't employed for non-TCP connections/sessions, at least to my knowledge:  sk24960: "Smart Connection Reuse" feature modifies some SYN packets

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2021-08-27 04:07 PM
In response to Timothy_Hall

True true...I remember having to do that sk once before when customer upgraded from R80.20 to R80.30, but never related to errors in the post.

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-08-30 10:07 PM
In response to the_rock

Any way I now removed the PBR and it started working fine.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events