The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Unresolved Dynamic Object causes NAT rule matching to fail and packet drop
Technical Level
Solution ID
sk109216
Technical Level
Product
Quantum Security Gateways
Version
R77.20 (EOL), R77.30 (EOL)
Date Created
21-Dec-2015
Last Modified
04-Sep-2018
Symptoms
Unresolved Dynamic Object causes NAT rule matching to fail and packet drop.
In the kernel debug we see the following drops:
;18Sep2015 8:25:57.464175;[cpu_13];[fw4_2];fw_xlate_find_all_matches: Returning 2 for resolving of dynamic object;
;18Sep2015 8:25:57.464178;[cpu_13];[fw4_2];fw_xlate_match: Returning vanish or hold (2) for dynamic object resolving;
;18Sep2015 8:25:57.464194;[cpu_13];[fw4_2];fw_log_drop_ex: Packet proto=1 [IP Address:Port] -> [NATTed IP Address:Port] dropped by fw_first_packet_xlation Reason: Dynamic object is already being resolved;
Even if there is a matching rule with a higher priority (and no issues), a rule with a lower priority that fails to resolve a dynamic object will cause the rule matching to fail and drop the packet.
