Dynamic Dispatcher 'instance mismatch' drops on ports 80 and 443 Technical Level
  • When the Dynamic Dispatcher is enabled together with SecureXL NAT templates, traffic on port 80 and 443 is dropped and the following messages appear in /var/log/messages: fwmultik_dispatch_inbound: instance mismatch (on connection <IP address>(443) -^ <IP address>(24547) IPP 6): predefined says 2 lookup says 1)

  • Drop traffic ';[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=<protocol ID> <IP address>:<port> -> <IP address>:<port> dropped by fwmultik_dispatch_inbound Reason: Instance mismatch (inbound);'

  • Disabling one of the features (Dynamic Dispatcher or NAT templates) resolves the issue,
  1. The sim_nat_port_alloc table may contain two or more entries for same allocated source port, when multiple hide translated connections are going to the same destination IP address.

  2. sim module tries to allocate the source port which is already marked as in use, then sim module may still allocate it again for a new connection.

