Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

If SmartView Tracker shows that ICMP packets are dropped with "message_info: ICMP reply does not match a previous request" log.
 
This drop is related to stateful inspection of ICMP. Due to a mismatch between the ID of ICMP Reply and the ID of the original recorded ICMP Request, Security Gateway will not find the original ICMP Request in the Connections table (id 8158) and will drop this ICMP Reply packet as out-of-state.
 
Try to find out why the replying device (or what forwarding device) is changing the ID in the ICMP Reply packet.
 

As an immediate solution or workaround, disable the Stateful Inspection for ICMP to allow this traffic:

  1. In SmartDashboard, go to the Policy menu - click on the Global Properties....

  2. In the left tree, click on the Stateful Inspection.

  3. Clear the box "Drop out of state ICMP packets" - click on OK

  4. Install Policy

Note: Disabling the Stateful Inspection will lower the security. This should be done with caution and only as the last resort.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
Who rated this post