Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2069
Views
0
Helpful
4
Replies

Checkpoint blocks Mobility Control Path ('Old UDP Session')

Christian Faessler
Level 1
Level 1

‎03-28-2013 03:46 AM - edited ‎07-03-2021 11:48 PM

It happens on a regular basis, that our checkpoint firewall blocks control path traffic (UDP 16666) with the reason 'old UDP session'. When this happens our guest clients lose internet access. The connection restores only after I manually send a series of mping from foreign to anchor WLC.

Setup: Several 2404 and 5508 foreign WLC with 7.0.235.3 and 7.2.111.3 on the inside corporate network are anchoring to a 5508 with 7.2.111.3 in the DMZ. These connections are used for Guest Internet Access.

FW Details: Checkpoint: R75.46 - Build 102 / Ipso (os): 6.2-GA055b06 clish 2.1 / HW:  IP1285

This situation is becoming really annoying especially as our WLAN infrastructure is growing fast. I would be much obliged for any help with this.

Labels:
0 Helpful
4 Replies 4

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

‎03-31-2013 02:35 AM

its not WLC issue, open case with checkpoint.

0 Helpful

Christian Faessler
Level 1
Level 1
In response to Saravanan Lakshmanan

‎04-02-2013 12:00 AM

Yes, it seems to be a checkpoint issue but I was hoping to find someone here who has the same problem and could help me with this.

0 Helpful

wesleyterry
Level 3
Level 3
In response to Christian Faessler

‎04-02-2013 07:35 PM

Is the problem occuring with every internal WLC or only a select few?

Mobility keepalives originate from the controller with the lowest mac address.

If your problem is only occuring with a select few controllers. perhaps it is only the controllers that your Anchor WLC has the lower mac address of the pair.  (implying your Check Point is timing out when packets are sourced from DMZ to Internal but not the other way....)

If its not a directional issue, then perhaps you could decrease the mobility keepalive interval. I believe control packets (16666) are sent at 3x the data packets.  (so 30s for control and 10s for data)

config mobility group keepalive interval  ?

Other than that, perhaps someone knows a checkpoint setting at fault....  but to Van's point, Checkpoint should be able to provide assistance

0 Helpful

Christian Faessler
Level 1
Level 1

‎08-09-2013 06:22 AM

It seems that it was definetly a issue with the checkpoint.

After some adjustments by our FW team, the situation became a lot better lattely.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card