Security Gateway may stop accepting new IPv4 connections when working with Dynamic Objects or with IPS protection 'Malicious IPs'

Support Center > Search Results > SecureKnowledge Details

Security Gateway may stop accepting new IPv4 connections when working with Dynamic Objects or with IPS protection 'Malicious IPs'

Technical Level

Solution ID	sk97704
Technical Level
Product	Quantum Security Gateways, ClusterXL, Quantum Security Management, Multi-Domain Security Management
Version	R75 (EOL), R76 (EOL), R77 (EOL)
Platform / Model	All
Date Created	13-Dec-2013
Last Modified	16-Feb-2015

Symptoms

Every couple of days, Security Gateway / ClusterXL stops accepting new IPv4 connections. Existing connections pass normally.
Deleting the Dynamic Objects cache on Security Gateway / ClusterXL immediately causes (replicates) the issue:

[Expert@HostName]# fw tab -t dynobj_cache -x -y

Kernel debug ('fw ctl debug -m fw + drop vm') shows the following drops:

fw_handle_first_packet: Rulebase returned VANISH;
fw_handle_first_packet: match on rule 0;
................
fw_log_drop_ex: Packet proto= ... dropped by fw_handle_first_packet Reason: Rulebase drop - rule 0

$FWDIR/log/fwd.elg file on Security Gateway / cluster members shows:

fwdynobj_resolve_all: unexpected size of keys or values in dynobj_uids table
fwdynobj_resolve_callback IPv6 : fw_sendhold(...) failed

Debug of FWD daemon (per sk86321) shows an issue with Dynamic Object 'CPDShield' although this dynamic object is configured correctly (both in SmartDashboard and on Security Gateway / cluster members (in $FWDIR/database/dynamic_objects.db file):

DYNAMIC_OBJECT > fw_do_checkdom: checking for object CPDShield
DYNAMIC_OBJECT > get_ip_ranges_from_cached: looking for CPDShield
DYNAMIC_OBJECT > resolver_return_data
DYNAMIC_OBJECT > range 0 0.0.0.1 0.0.0.1
fwdynobj_update_dynobj_table_kern(.... IPTYPE_6): size=0, addr_size=16
fwdynobj_resolve_callback retVal6 = 1 
fwdynobj_resolve_callback: updated dynamic object X
fwdynobj_resolve_callback IPv6 : fw_sendhold(...) failed
DYNAMIC_OBJECT > resolver_return_data -- end
DYNAMIC_OBJECT >	ip_ranges_resolver_async_handler : end

/var/log/messages file might show the following error if CoreXL is enabled:

fwmultik_ioctl_distrib_if_needed: Failing ioctl XXX - error was set
fwmultik_ioctl_distribute: Invalid instance N requested (max=1) for ioctl XXX

Cause

A new IPv4 connection arrives, however Security Gateway / ClusterXL does not find the entry in the Dynamic Objects cache kernel table 'dynobj_cache'.

Check Point kernel sends a trap to FWD daemon to resolve the IPv4 address, however, instead of sending IPv4 trap, kernel sends IPv6 trap.

As a result, all new connections are dropped.

Affected versions of Security Management Server / Multi-Domain Security Management Server: R76 and R77.

Affected versions of Security Gateway / ClusterXL: R76 and R77.

Solution

Note: To view this solution you need to Sign In .