Computers with dynamically assigned IP addresses are not able to access web sites by their URLs when SecureXL is enabled

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk116160
Technical Level
Product	SecureXL
Version	R77.30 (EOL), R80.10 (EOL), R80.20, R80.30
OS	Gaia
Platform / Model	All
Date Created	02-Mar-2017
Last Modified	19-Nov-2019

Symptoms

Users are intermittently not able to connect to web sites through Security Gateway in the following scenario:
1. Topology:
  - Users receive an IP address from a DHCP Server.
  - DHCP Server and DNS server are located behind the Security Gateway.
  - A new IP address is assigned after user disconnects from a network and reconnects.
2. SecureXL is enabled on the Security Gateway.
3. When user connects for the first time, access to web sites by their URLs works correctly.
4. After user disconnects and reconnects for the second time, access to web sites by their URLs stops working intermittently.
  It is possible to access web sites only by their IP addresses.
Checking the ARP table on the Security Gateway (with "arp -nv", "ip -s -s -4 neigh show" commands) during the issue shows the following:
- IP address of the user's computer, who experiences this issue, is associated with a wrong MAC Address
- The relevant entry is refreshed and associated with the correct MAC Address only in the following cases:
  - some traffic (e.g., ping) is sent from the Security Gateway to the IP address of the user's computer
  - SecureXL is disabled ('fwaccel off') and reenabled ('fwaccel on') on the Security Gateway
  - user tries to access web sites by their IP addresses
This issue does not occur for users, whose computers are configured with static IP addresses.
Disabling SecureXL on the Security Gateway resolves the issue.

Cause

SecureXL is using previously cached MAC address (associated with the involved IP address) for accelerated connections sent from Server to Client (in this case, packets sent from the DNS server to the Client).

For F2F packets, the OS is aware that this IP-to-MAC address mapping is stale, so it sends an ARP Request for the IP address and updates the cache with the correct value.
However when SecureXL queries for the MAC address, the ARP Request is not sent. As a result, SecureXL is using previously cached MAC address (associated with the involved IP address).

Solution

Note: To view this solution you need to Sign In .