Unresolved Dynamic Object causes NAT rule matching to fail and packet drop

SUPPORT CENTER
USER CENTER / PARTNER MAP
CYBER TALK FOR EXECUTIVES
THREAT INTELLIGENCE
UNDER ATTACK?
- We can help. Learn more about ThreatCloud Incident Response
RISK ASSESSMENT
MY ACCOUNT
- Phone
  
  General
  United States 1-800-429-4391
  International +972-3-753-4555
  
  Support
  24x7 Technical Support
  Americas: 1-972-444-6600
  International: +972-3-6115100
  Toll Free: 1-888-361-5030
- Locations
  
  United States
  Check Point Software Technologies Inc.
  959 Skyway Road
  Suite 300
  San Carlos, CA 94070
  MAP
  
  International
  Check Point Software Technologies Ltd.
  5 Ha'Solelim Street
  Tel Aviv 67897, Israel
  MAP
- Community
  CheckMates User Community
  Blog
- Chinese
- Japanese
- Russian

Support Center > Search Results > SecureKnowledge Details

Symptoms

Unresolved Dynamic Object causes NAT rule matching to fail and packet drop.
In the kernel debug we see the following drops:
;18Sep2015 8:25:57.464175;[cpu_13];[fw4_2];fw_xlate_find_all_matches: Returning 2 for resolving of dynamic object;
;18Sep2015 8:25:57.464178;[cpu_13];[fw4_2];fw_xlate_match: Returning vanish or hold (2) for dynamic object resolving;
;18Sep2015 8:25:57.464194;[cpu_13];[fw4_2];fw_log_drop_ex: Packet proto=1 [IP Address:Port] -> [NATTed IP Address:Port] dropped by fw_first_packet_xlation Reason: Dynamic object is already being resolved;
Even if there is a matching rule with a higher priority (and no issues), a rule with a lower priority that fails to resolve a dynamic object will cause the rule matching to fail and drop the packet.

Solution

Note: To view this solution you need to Sign In .

THREAT INTELLIGENCE