Support Center > Search Results > SecureKnowledge Details
Security Gateway may stop accepting new IPv4 connections when working with Dynamic Objects or with IPS protection 'Malicious IPs'
Symptoms
  • Every couple of days, Security Gateway / ClusterXL stops accepting new IPv4 connections. Existing connections pass normally.

  • Deleting the Dynamic Objects cache on Security Gateway / ClusterXL immediately causes (replicates) the issue:

    [Expert@HostName]# fw tab -t dynobj_cache -x -y

  • Kernel debug ('fw ctl debug -m fw + drop vm') shows the following drops:
    fw_handle_first_packet: Rulebase returned VANISH;
    fw_handle_first_packet: match on rule 0;
    ................
    fw_log_drop_ex: Packet proto= ... dropped by fw_handle_first_packet Reason: Rulebase drop - rule 0
    
  • $FWDIR/log/fwd.elg file on Security Gateway / cluster members shows:
    fwdynobj_resolve_all: unexpected size of keys or values in dynobj_uids table
    fwdynobj_resolve_callback IPv6 : fw_sendhold(...) failed
    
  • Debug of FWD daemon (per sk86321) shows an issue with Dynamic Object 'CPDShield' although this dynamic object is configured correctly (both in SmartDashboard and on Security Gateway / cluster members (in $FWDIR/database/dynamic_objects.db file):
    DYNAMIC_OBJECT > fw_do_checkdom: checking for object CPDShield
    DYNAMIC_OBJECT > get_ip_ranges_from_cached: looking for CPDShield
    DYNAMIC_OBJECT > resolver_return_data
    DYNAMIC_OBJECT > range 0 0.0.0.1 0.0.0.1
    fwdynobj_update_dynobj_table_kern(.... IPTYPE_6): size=0, addr_size=16
    fwdynobj_resolve_callback retVal6 = 1 
    fwdynobj_resolve_callback: updated dynamic object X
    fwdynobj_resolve_callback IPv6 : fw_sendhold(...) failed
    DYNAMIC_OBJECT > resolver_return_data -- end
    DYNAMIC_OBJECT >	ip_ranges_resolver_async_handler : end
    
  • /var/log/messages file might show the following error if CoreXL is enabled:

    fwmultik_ioctl_distrib_if_needed: Failing ioctl XXX - error was set
    fwmultik_ioctl_distribute: Invalid instance N requested (max=1) for ioctl XXX
    
Cause

A new IPv4 connection arrives, however Security Gateway / ClusterXL does not find the entry in the Dynamic Objects cache kernel table 'dynobj_cache'.

Check Point kernel sends a trap to FWD daemon to resolve the IPv4 address, however, instead of sending IPv4 trap, kernel sends IPv6 trap.

As a result, all new connections are dropped.

Affected versions of Security Management Server / Multi-Domain Security Management Server: R76 and R77.

Affected versions of Security Gateway / ClusterXL: R76 and R77.


Solution
Note: To view this solution you need to Sign In .