Support Center > Search Results > SecureKnowledge Details
Connections are broken for short time after disabling SecureXL, or after installing a policy Technical Level
  • Connections are broken for short time after disabling SecureXL ('fwaccel off'), or after installing a policy.

  • "Connection contains real IP of NATed address" logs in SmartView Tracker about the relevant connections.

  • Kernel debug ('fw ctl debug -m fw + drop conn vm nat xlate xltrc') during the issue shows that the relevant packets are dropped:

    [-- Stateful VM inbound: Entering (...) --]; 
    ;Before VM: ...
    ... ...
    ;fwconn_post_lookup_verification: packet matches SecureXL link but wasn't natted by a SecureXL device;
    ... ...
    ;fwx_get_xlbuf: VM xlation buffer found for request:  vmside=...;
    ;fwx_get_xlbuf:  no translation matching request:  vmside=...;
    ;FW-1: fw_log_bad_conn_ex: reason Connection contains real IP of NATed address;
    ;fw_conn_inspect: post lookup verification failed. Dropping packet;
    ;fw_log_drop_ex: Packet proto= ... dropped by fw_conn_inspect Reason: post lookup verification failed;
    ;fw_filter_chain: fw_conn_inspect returned action VANISH;
    ;fw_filter_chain: Final switch, action=VANISH;
    ;After  VM: ...
    ;VM Final action=VANISH;
    ; -----  Stateful VM inbound Completed -----

Flow of events:

  1. During the process of turning the SecureXL off (either with 'fwaccel off' command, or during policy installation (which restarts SecureXL)), SIM device stops performing NAT.
  2. FireWall still assumes that SecureXL is translating packets in both directions.
  3. FireWall starts performing NAT only after SecureXL is completely off.
  4. As a result:
    • FireWall starts performing NAT in the middle of a connection and drops Server-to-Client packets.
    • FireWall drops Server-to-Client packets with internal IP addresses.

Note: To view this solution you need to Sign In .