View Sidebar
Checkpoint Firewall: SecureXL and PPPoE do not play well

Checkpoint Firewall: SecureXL and PPPoE do not play well

12/17/2014 3:16 pm0 comments

I recently had to upgrade an R70 Checkpoint firewall to R77.10.  Due to a variety of issues, this required a nuke and rebuild of the firewall via USB key to upgrade to R77.10.

The upgrade went fine, but during testing the firewall passed no traffic. This was an unusual config, the internet service was a PPPoE connection.

After a fair amount of troubleshooting went into this problem.  It wasn’t until a fw ctl zdebug -m fw + drop  command was run that the problem become obvious.  The following error was displayed:

;[fw4_0];fw_log_drop_ex: Packet proto=6 159.7.34.61:10002 -> 126.246.75.211:80 dropped by cphwd_offload_conn Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;

A quick look on Checkpoint’s Support Site gave us Solution ID: sk79880.

SYMPTOMS

Kernel debug shows (fw ctl zdebug -m fw + drop) that traffic is dropped:

‘… is dropped by cphwd_offload_conn Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed’

CAUSE

No fix is required; the system is functioning as designed.

SecureXL does not support Point-to-Point interfaces (PPP, PPTP, PPPoE). In case a PPP-interface is detected, SecureXL disables itself on that interface (hence the name ‘non-accelerated interface’).

Refer to the following note in any ‘Performance Pack Administration Guide’ (R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76):

Note: Performance Pack is automatically disabled on PPTP and PPPoE interfaces.

If a connection is detected, which flows through even one such non-accelerated interface, and this connection is NATed and/or sent over VPN, it will be dropped, because SecureXL is not able to handle it: because of NAT (Client Side or Server Side) and/or VPN, some connection parameters are not available – SecureXL is not able to determine how to pass such connection.

SOLUTION

Possible steps:

  1. Change the rulebase, so that the problematic connection is not sent through such non-accelerated interface(s).
  2. Disable NAT on the problematic connection.
  3. Change the rulebase, so that the problematic connection is not sent over VPN.
  4. Disable SecureXL completely (via ‘fwaccel off’ command and via ‘cpconfig’ menu).

We disabled SecureXL and had no problems since.

 

 

Leave a reply

You must be logged in to post a comment.