Support Center > Search Results > SecureKnowledge Details
EIGRP (multicast) neighborship through the Security Gateway is breaking while SecureXL is enabled
Symptoms
  • EIGRP (multicast) neighborship through the Security Gateway is breaking in the following scenario:

    1. SecureXL is enabled
    2. SecureXL Drop Templates are enabled (sk66402)
  • Kernel debug ('fw ctl debug -m fw + drop') shows that EIGRP multicast packets are dropped:

    fw_log_drop_conn: Packet <dir 1, Source_IP_Address:0 -> 224.0.0.10:0 IPP 88>, dropped by handle_outbound_pac, Reason: matched partial connection
  • SecureXL debug ('fwaccel dbg -m general + offload' and 'fwaccel dbg -m db + routing') shows:

    cphwd_db_get_routing_info_ex: partial routing found (client=no, server=no).;
    cphwd_offload_conn: Failed to find routing info for <dir 0, Source_IP_Address:0 -> 224.0.0.10:0 IPP 88>
  • Disabling SecureXL resolves the issue.

Cause

FireWall kernel offloads partial connections for multicast traffic. New multicast packets that is matched to such a partial connection is dropped because the connection is not found in the SecureXL database because SecureXL is not able to get route information from its database.


Solution
Note: To view this solution you need to Sign In .