Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

What could be the reason behind this drop?

Hi Team, This is R80.20 and my packets are getting dropped with below error which I captured using fw ctl zdebug. There is a PBR configured on firewall for source IP x.x.x.x for Internet as destination.

Surprisingly web traffic works fine however only ICMP is getting dropped. Any reason  why? I tried searching through lot of SKs however none of them was pinpoint to the below error neither any one has worked

 

@;3779257712;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63298 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;
@;3779396743;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63297 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;
@;3779497504;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63296 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;
@;3779590799;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:2048 -> 8.8.8.8:63295 dropped by fw_filter_chain Reason: [NTUP] returned Drop for reused conn;

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
6 Replies
the_rock
Legend
Legend

I had seen this before be caused by securexl. If you disable it and it works, then below would apply.

Permanently set the value of kernel parameter fwconn_set_esp_after_nat_links to 1 (one) - follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

 

Andy

0 Kudos
Blason_R
Leader
Leader

Yeah initially I thought so hence I had disabled securexl as well however it did not work. fwaccel off is the only thing that I need to do?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

Thats all I found, sorry brother.

0 Kudos
Timothy_Hall
Champion
Champion

ICMP is never accelerated by SecureXL and always goes F2F, so disabling SecureXL shouldn't have any effect on this issue.  I'm assuming this has something to do with Smart Connection Reuse, although it isn't employed for non-TCP connections/sessions, at least to my knowledge:  sk24960: "Smart Connection Reuse" feature modifies some SYN packets

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

True true...I remember having to do that sk once before when customer upgraded from R80.20 to R80.30, but never related to errors in the post.

0 Kudos
Blason_R
Leader
Leader

Any way I now removed the PBR and it started working fine.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events