Support Center > Search Results > SecureKnowledge Details
Traffic that depends on Dynamic Objects stops passing after policy installation
Symptoms
  • Traffic that depends on Dynamic Objects stops passing after policy installation.

  • SmartView Tracker logs show that this traffic is dropped on the rule that contains the relevant Dynamic Objects.

  • Kernel debug ('fw ctl debug -m fw + ld conn vm drop') shows that Security Gateway is not able to find the connection in any of the tables related to Dynamic Objects' cache:

    [cpu_X];[fw_X];fwconn_lookup: conn <...>;
    [cpu_X];[fw_X];ld_get: d=8158 lp=connections tuple=...;
    ... ... ...
    [cpu_X];[fw_X];ld_get: not found;
    ... ... ...
    [cpu_X];[fw_X];not found in connections table;
    ... ... ...
    [cpu_X];[fw_X];ld_get: d=8161 lp=fwx_cntl_dyn_tab tuple=...;
    [cpu_X];[fw_X];ld_get: table empty;
    ... ... ...
    [-- Stateful VM inbound: Entering (...) --];
    [cpu_X];[fw_X];Before VM: <Source_IP:Source_Port -> Dest_IP:Dest_Port IPP 6> ... (ifn=...) (first seen) (looked up) ;
    ... ... ...
    [cpu_X];[fw_X];fwx_get_original_conn: Conn = Source_IP:Source_Port -> Dest_IP:Dest_Port IPP 6;
    ... ... ...
    [cpu_X];[fw_X];fwx_get_original_conn returns: Source_IP:Source_Port -> Dest_IP:Dest_Port IPP 6 ;
    ... ... ...
    [cpu_X];[fw_X];ld_get: d=125 lp=dynobj_cache tuple=...;
    [cpu_X];[fw_X];ld_get: h_lookup(...)=...;
    [cpu_X];[fw_X];ld_get: result=...;
    [cpu_X];[fw_X];ld_in: d=... lp=dynobj_listX tuple=...;
    [cpu_X];[fw_X];ld_in: result=0;
    ... ... ...
    [cpu_X];[fw_X];fw_handle_first_packet: Rulebase returned VANISH;
    [cpu_X];[fw_X];fw_log_drop: Packet proto=6 Source_IP:Source_Port -> Dest_IP:Dest_Port dropped by fw_handle_first_packet Reason: Rulebase drop - rule X;
    [cpu_X];[fw_X];fw_filter_chain: handle_first_packet returned action VANISH for new conn;
    [cpu_X];[fw_X];fw_filter_chain: Final switch, action=VANISH;
    [cpu_X];[fw_X];After VM: <Source_IP:Source_Port -> Dest_IP:Dest_Port IPP 6> ... ;
    [cpu_X];[fw_X];VM Final action=VANISH;
    [cpu_X];[fw_X]; ----- Stateful VM inbound Completed -----
    
  • NOTE: Do not run 'ld' flag in kernel debug without consultation with Check Point's support, this is considered as a very heavy debug flag and can cause the system to crash.
Cause

Issue with synchronization (between the CoreXL FW Instances) of FW kernel tables related to resolving of Dynamic Objects.


Solution
Note: To view this solution you need to Sign In .