Connections are broken for short time after disabling SecureXL, or after installing a policy
||Security Gateway, ClusterXL, Cluster - 3rd party, VSX, SecureXL
||R75, R76, R77, R77.10, R77.20, R77.30
||Gaia, SecurePlatform 2.6, IPSO 6.2, Gaia Embedded, Crossbeam XOS
|Platform / Model
Connections are broken for short time after disabling SecureXL ('
fwaccel off'), or after installing a policy.
Connection contains real IP of NATed address" logs in SmartView Tracker about the relevant connections.
Kernel debug ('
fw ctl debug -m fw + drop conn vm nat xlate xltrc') during the issue shows that the relevant packets are dropped:
[-- Stateful VM inbound: Entering (...) --];
;Before VM: ...
;fwconn_post_lookup_verification: packet matches SecureXL link but wasn't natted by a SecureXL device;
;fwx_get_xlbuf: VM xlation buffer found for request: vmside=...;
;fwx_get_xlbuf: no translation matching request: vmside=...;
;FW-1: fw_log_bad_conn_ex: reason Connection contains real IP of NATed address;
;fw_conn_inspect: post lookup verification failed. Dropping packet;
;fw_log_drop_ex: Packet proto= ... dropped by fw_conn_inspect Reason: post lookup verification failed;
;fw_filter_chain: fw_conn_inspect returned action VANISH;
;fw_filter_chain: Final switch, action=VANISH;
;After VM: ...
;VM Final action=VANISH;
; ----- Stateful VM inbound Completed -----
Flow of events:
- During the process of turning the SecureXL off (either with '
fwaccel off' command, or during policy installation (which restarts SecureXL)), SIM device stops performing NAT.
- FireWall still assumes that SecureXL is translating packets in both directions.
- FireWall starts performing NAT only after SecureXL is completely off.
- As a result:
- FireWall starts performing NAT in the middle of a connection and drops Server-to-Client packets.
- FireWall drops Server-to-Client packets with internal IP addresses.
Note: To view this solution you need to