Support Center > Search Results > SecureKnowledge Details
TCP traffic is dropped on "IP options" and problematic IP option could not be found in kernel debug
Symptoms
  • TCP traffic is dropped on "IP options" and problematic IP option could not be found in kernel debug per sk62082.

    Example:

    X11 in SSH traffic dropped on "IP options" in SmartView Tracker. When running debug per sk62082 to find and allow IP options:

    # fw ctl debug 0
    # fw ctl debug -buf 32000
    # fw ctl debug -m fw + drop ld ipopt filter packval
    
    The allowed_ipopts_proto value cannot be found.
Cause

By design, Check Point Security Gateway drops any TCP / UDP / ICMP / GRE packet with IP options (only IGMP packet with "Router Alert" IP option is allowed).

In certain environments, traffic going through Check Point Security Gateway may contain IP options. It may be necessary to allow these packets to pass.


Solution
Note: To view this solution you need to Sign In .