Support Center > Search Results > SecureKnowledge Details
NATed VPN traffic that passes through Security Gateway is dropped when SecureXL is enabled Technical Level
Symptoms
  • NATed VPN traffic (ESP protocol) that passes through Security Gateway is dropped when SecureXL is enabled.

  • When SecureXL is disabled, NATed VPN traffic (ESP protocol) passes through Security Gateway correctly.

  • When Anti-Spoofing is disabled or when the involved IP address are excluded, NATed VPN traffic (ESP protocol) passes through Security Gateway correctly.

  • Kernel debug (fw ctl debug -m fw + conn drop nat link) shows:

    ;fw_handle_first_packet: Rulebase returned ACCEPT;
    ;fw_xlate_match: conn=<Source_IP:0 -> Dest_IP:0 IPP 50>;
    ;fw_xlate_match: cache hit!;
    ;fwconn_init_links: Creating links (inbound). One way links=0, Replies from any=0;
    ;fwconn_set_links_inbound: create link cls_o <dir 1, Dest_IP:0 -> Source_IP:0 IPP 50> -> <dir 0, Source_IP:0 -> Dest_IP:0 IPP 50>(0x5);
    ;fwconn_set_link: failed to set the link (-3);
    ;fwconn_set_link: link collision ignored by SXL;
    ;fw_handle_first_packet: fwconn_init_links failed. Dropping packet;
    ;fw_log_drop: Packet proto=50 Source_IP:Source_Port -> Dest_IP:Dest_Port dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed;
    ;fw_filter_chain: handle_first_packet returned action DROP for new conn;
    ;fw_filter_chain: Final switch, action=DROP;
    ;fw_filter_chain: Removing partially setup connection;
Cause

In some scenarios, a packet is forwarded by SecureXL (F2F) after NAT is applied by SecureXL. Special link needs to be created in the Connections Table when the connection is created. Currently, such special link is created only for TCP and UDP connections.


Solution
Note: To view this solution you need to Sign In .