Check Point防火墙静态NAT映射问题解决

liuxingyuan

Automatic Static NAT does not work



Solution ID:  sk34453
Product:  Security Gateway
Version:  NGX R60, NGX R61, NGX R62, NGX R65, R70
OS:  SecurePlatform

Symptoms



Automatic Static NAT is not working.
No error message is displayed in SmartView Tracker.
When kernel debug is run on the module, the following error will be displayed: "dropped by fwha_process_incoming_packet Reason: The packet is designated to an ip address that is proxied, but is not an active member."
Running tcpdump on the external interface will show that the arp "that has" the request reaches the module, but it does not perform proxy arp and does not reply to the request.


Cause



The ClusterXL module is enabled on a single Security Gateway.


Solution



Enabling the ClusterXL module on a single Security Gateway is not supported. One of the possible results of this configuration may be that automatic Static NAT will not work.

In order to resolve this issue, disable Cluster Membership of the Security Gateway via cpconfig and reboot the machine.

network

longpengshi

翻译了一下请指正
自动静态网络地址转换没有工作

解决方法ID：sk34453
产品：安全网关
版本：NGX R60, NGX R61, NGX R62, NGX R65, R70
操作系统：SecurePlatform

症状
自动静态NAT没有工作
在SmartView Tracker里面没有错误信息。
当在模块下内核的调试下，会产生以下错误信息：被fwha_process_incoming_packet 丢弃：数据包发送到一个设置为混合模式的IP地址，但是却不是一个活动的成员。”
运行tcpdump监听在外部接口，将会显示ARP“That has”请求到达模块，但是他并没有设置代理ARP而且不会回复此请求

原因
ClusterXL  集群模块配置在一个单独的安全网关上
解决方法
ClusterXL  集群模块不能配置在一个单独的安全网关上。可能造成自动的静态NAT不能启动。
通过cpconfig关闭安全网关的集群成员之后重启设备解决这个事件。