Support Center > Search Results > SecureKnowledge Details
Traffic is not NATed correctly
Symptoms
  • NAT traffic is dropped and not handled correctly.
  • Kernel debug shows:
    ^fw_log_drop_ex: Packet proto=6 xxx.xxx.xxx.xxx:62816 -^ xxx.xxx.xxx.xxx:5061 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed^
    ^[cpu_47]^[fw4_0]^fw_log_drop_ex: Packet proto=6 xxx.xxx.xxx.xxx:56425 -^ xxx.xxx.xxx.xxx:443 
    dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) fail ...
  • When using ClusterXL with Dynamic NAT, after a failover there is traffic loss that lasts a few minutes.
Cause

After a failover, the member that changed its state to ACTIVE initiates a rebuild of the tables for Dynamic Port Allocation. This process is heavy, especially if the concurrent number of NATed connections is large. (These tables are not synced between members, so they need to be rebuilt upon failover.)

During this process, Port Allocation can not be done, so every new connection that needs to be NATed will be dropped.

Dropped connections will not stay in the connection table without NAT and cause re-transmissions.


Solution
Note: To view this solution you need to Sign In .