Support Center > Search Results > SecureKnowledge Details
NAT fails after policy installation
Symptoms
  • NAT stops working completely at some point:

    • usually, after policy installation
    • when IPS protection "Malicious IPs" is enabled, and the Block List of malicious IP addresses is updated
  • Logs in SmartView Tracker / SmartLog show that the relevant traffic was accepted, but there is no indication for NAT.

  • Output of the 'fw tab -t intvl_kbufs_table' command on the Security Gateway / Cluster members is either empty, or shows only the following single entry:
    <00000000; 00000000>

  • Output of the 'fw tab | grep -E "intvl_kbufs\|dynobj"' command on the Security Gateway / Cluster members shows that these kernel tables have consecutive ID numbers (order and the numbers themselves do not matter - only the fact that are consecutive):

    • intvl_kbufs_table
    • dynobj_uids
    • dynobj_list<XXX>
  • Another policy installation resolves the issue.

  • Rebooting the Security Gateway / all Cluster members resolves the issue.

  • In ClusterXL High Availability mode, sometimes, failover from Active to a Standby cluster member resolves the issue.

Cause

In some rare cases, when kernel tables that hold the data for Dynamic Objects are updated (e.g., during policy installation, due to update of IPS protection "Malicious IPs" (DShield.org Storm Center)), contents of one of the NAT kernel tables (intvl_kbufs_table) can be wrongly erased instead of the relevant dynobj_list<XXX> table.


Solution
Note: To view this solution you need to Sign In .