Support Center > Search Results > SecureKnowledge Details
ESP traffic is dropped with "fwconn_key_init_links (INBOUND) failed" on a Security Gateway forwarding and NATing VPN traffic Technical Level
Symptoms
  • ESP traffic is dropped by the Security Gateway, which is not a peer on the VPN tunnel, and is just forwarding the ESP traffic, which also should be NATed by this Gateway.

  • In kernel debug (fw ctl zdebug + conn drop vm link nat xlate xltrc - with NAT cache disabled) one can see that the traffic is handled by different firewall instances in the inbound and outbound chains:
    @;37644971;14Apr2020 6:26:09.705122;[vs_28];[tid_3];[fw4_7];After POST VM: <dir 0, X.X.X.X:0 -> Y.Y.Y.Y:0 IPP 50 (len=104)> ;
    @;37644971;14Apr2020 6:26:09.705123;[vs_28];[tid_3];[fw4_7];POST VM Final action=ACCEPT;
    @;37644971;14Apr2020 6:26:09.705124;[vs_28];[tid_3];[fw4_7]; ----- Stateful POST VM inbound Completed -----
    .
    @;37644971;14Apr2020 6:26:09.705136;[vs_28];[tid_3];[fw4_7];fwconn_lookup_other_ex__legacy__: conn <dir 0, X.X.X.X:0 -> Z.Z.Z.Z:0 IPP 50;10001,40004880,19,66,0,5e953b61, 6,XXXXXXXX,XXXXXXXX,5d,ffffffff,ffffffff,ffffffff,0,0,80,0,0,dc1a8608,2aaa,0,0,0,0,0,0,0,0,cd4b5004,0,0,0,0,0> found in connections table;
    .
    .
    .
    [-- Stateful VM outbound: Entering (1586838369) --];
    @;37644971;14Apr2020 6:26:09.705290;[vs_28];[tid_5];[fw4_5];Before VM: <dir 1, X.X.X.X:0 -> X.X.X.X:0 IPP 50> (len=104) (ifn=71) (looked up) ;
    @;37644971;14Apr2020 6:26:09.705292;[vs_28];[tid_5];[fw4_5];fw_filter_chain: fwconn_chain_conn_exists returned 0 (conn=<dir 1, X.X.X.X:0 -> Y.Y.Y.Y:0 IPP 50>, is new 0), chain 0x0x2aaab67f7ad8;
    .
    .
    .
    @;37644971;14Apr2020 6:26:09.705292;[vs_28];[tid_5];[fw4_5];fwconn_key_set_or_prepare_link: failed to set the link (-3);
    @;37644971;14Apr2020 6:26:09.705292;[vs_28];[tid_5];[fw4_5];fwconn_key_link_collision: link collision ignored by SXL1;
    @;37644971;14Apr2020 6:26:09.705292;[vs_28];[tid_5];[fw4_5];FW-1: fwconn_key_set_or_prepare_link: fwconn_key_set_link(srs_o) failed <dir 1, X.X.X.X:0 - > Y.Y.Y.Y:0 IPP 50 > - > <dir 0, X.X.X.X:0 - > Z.Z.Z.Z:0 IPP 50 >;

Cause

ESP port-less traffic is not handled correctly by CoreXL.


Solution
Note: To view this solution you need to Sign In .