Troubling NAT Issue - NGX R62

All,

I'm looking for insight to resolve what should be a simple
issue with
destination NAT on a very simple Check Point HA deployment
on Nokia
IP390's running IPSO 4.1 b22.  The FW logs show the packet
coming in
being accepted, then 3 seconds later it shows a new
connection from the
IP of the DMZ host being dropped as TCP out of state.

Background:  
- Customer has a device deployed in a DMZ subnet located off
the
firewall.  
- The firewall is the default gateway for the DMZ subnet.  
- Outside users need to access a host in the DMZ subnet from
the
internet. 
- FW's default route is the ISP gateway router.
- Outbound NAT is working with no Problems
- The DMZ Host can be reached by other hosts on the same
subnet and
responds normally
-	Nokia IPSO configured with New Mode Vrrp
-	Outside VIP is set to user defined MAC which is also the
VRRP
MAC for that subnet.
-	If we use the VRRP ip of the firewall it works, the VIP
doesn't
work
o	1.1.1.4 (vrrp IP of firewall) < This works
o	1.1.1.1 (VIP for DMZ Host) < This doesn't work
-	Spoofing is configured to permit the source IP of the DMZ
subnet
through the DMZ interface.

Policy
Any to 1.1.1.1 (Internet Real VRRP Address) https accept
log

Address Translation
Any to 1.1.1.1 > Same to 10.10.10.10 

What happens:
Packet capture shows traffic accepts through firewall to
host on DMZ
Host on DMZ responds back with SYN-ACK, packet capture on
outside
interface shows SYN-ACK leaving interface.
Client does not receive a SYN-ACK response
-	Switch sees VRRP MAC address
-	Set upstream IPS to L2 by-pass mode



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

HI,
try to disable Secure XL  whit cpconfig.
 
I have a case for these issue, almost the same behavior.
 
 
ciao
-- Paolo Riviello Mob. +39.328.1749468 Home: http://www.paoloriviello
.com E-mail: paolopaoloriviello.com Msn: pao_rivihotmail.com Skype: pao_rivi -----I'm a rebel, soul
rebel I'm a capturer, soul adventurerSee the morning sun, On
the hillside not living good, travel wide.> Date: Wed, 24
Oct 2007 01:23:25 -0400> From: Todd.LarsonLEXISNEXIS.COM> Subject: [FW-1] Troubling 
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Paolo,

Thank you for your response, we've already checked that and
SecureXL is
disabled (we also tried setting ipso flows to slowpath). 
I'm thinking
the issue is more layer 2 between the firewall and upstream
switch, we
just can't get it isolated.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Paolo
Sent: Wednesday, October 24, 2007 4:57 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Troubling NAT Issue - NGX R62


HI,
try to disable Secure XL  whit cpconfig.
 
I have a case for these issue, almost the same behavior.
 
 
ciao
-- Paolo Riviello Mob. +39.328.1749468 Home:
http://www.paoloriviello
.com E-mail: paolopaoloriviello.com Msn:
pao_rivihotmail.com Skype: pao_rivi -----I'm a rebel, soul
rebel I'm a
capturer, soul adventurerSee the morning sun, On the
hillside not living
good, travel wide.> Date: Wed, 24 Oct 2007 01:23:25
-0400> From:
Todd.LarsonLEXISNEXIS.COM> Subject: [FW-1] Troubling 
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================