Support Center > Search Results > SecureKnowledge Details
Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host
Symptoms
  • Unable to simultaneously ping the Cluster VIP address and physical IP address of cluster member from a remote host.

  • Unable to simultaneously ping multiple interfaces of the Security Gateway / cluster member.

  • Kernel debug (fw ctl debug -m fw + conn vm drop) shows:

    ;fwconn_set_link: failed to set the link (-3);
    ;fwconn_set_link: link collision ignored by SXL;
    ;fw_handle_first_packet: fwconn_init_links failed. Dropping packet;
    ;fw_log_drop: Packet proto=1 x.x.x.x:M -> x.x.x.x:N dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed
Cause
  1. When the Check Point Security Gateway / cluster member creates an ICMP connection in the Connections Table, a dummy port is allocated in order to make this connection unique (since ICMP packets do not have real port numbers). The dummy port is calculated based on protocol-level session IDs.

    Under certain conditions, the dummy port is calculated to be the same for multiple connections, which causes a conflict in the Connections Table, causing the drop.

  2. In ClusterXL configured in High Availability New Mode / VRRP cluster , the ICMP Request sent to Cluster VIP address and to the IP address of the physical interface on Active/Master member, are processed by Active/Master member ("NAT-folded" from physical IP address of Active member). Since these two ICMP Requests have the same parameters, Active/Master member is not able to distinguish between them. As a result, the first of these two ICMP Requests will be processed correctly, and the second of these two ICMP Requests will be dropped.

Solution
 Note: To view this solution you need to Sign In .