Support Center > Search Results > SecureKnowledge Details
Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host Technical Level
Symptoms
  • Unable to simultaneously ping the Cluster VIP address and physical IP address of a cluster member from a remote host.

  • Unable to simultaneously ping multiple interfaces of the Security Gateway / cluster member.

  • Kernel debug (fw ctl debug -m fw + conn vm drop) shows:

    ;fwconn_set_link: failed to set the link (-3);
    ;fwconn_set_link: link collision ignored by SXL;
    ;fw_handle_first_packet: fwconn_init_links failed. Dropping packet;
    ;fw_log_drop: Packet proto=1 x.x.x.x:M -> x.x.x.x:N dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed
Cause
  1. When the Check Point Security Gateway / cluster member creates an ICMP connection in the Connections Table, a dummy port is allocated in order to make this connection unique (ICMP packets do not have real port numbers). The dummy port is calculated based on protocol-level session IDs.

    Under certain conditions, the dummy port is calculated to be the same for multiple connections, which causes a conflict in the Connections Table that then causes the drop.

  2. In ClusterXL configured in High Availability New Mode / VRRP cluster, the ICMP Requests sent to the Cluster Virtual IP (VIP) address and to the IP address of the physical interface on the Active/Master member are processed by Active/Master member ("NAT-folded" from physical IP address of Active member). Because these two ICMP Requests have the same parameters, the Active/Master member cannot distinguish between them. As a result, the first of these two ICMP Requests is processed correctly, and the second of these two ICMP Requests is dropped.

Solution
Note: To view this solution you need to Sign In .