It happens on a regular basis, that our checkpoint firewall blocks control path traffic (UDP 16666) with the reason 'old UDP session'. When this happens our guest clients lose internet access. The connection restores only after I manually send a series of mping from foreign to anchor WLC.
Setup: Several 2404 and 5508 foreign WLC with 126.96.36.199 and 188.8.131.52 on the inside corporate network are anchoring to a 5508 with 184.108.40.206 in the DMZ. These connections are used for Guest Internet Access.
FW Details: Checkpoint: R75.46 - Build 102 / Ipso (os): 6.2-GA055b06 clish 2.1 / HW: IP1285
This situation is becoming really annoying especially as our WLAN infrastructure is growing fast. I would be much obliged for any help with this.
Yes, it seems to be a checkpoint issue but I was hoping to find someone here who has the same problem and could help me with this.
Is the problem occuring with every internal WLC or only a select few?
Mobility keepalives originate from the controller with the lowest mac address.
If your problem is only occuring with a select few controllers. perhaps it is only the controllers that your Anchor WLC has the lower mac address of the pair. (implying your Check Point is timing out when packets are sourced from DMZ to Internal but not the other way....)
If its not a directional issue, then perhaps you could decrease the mobility keepalive interval. I believe control packets (16666) are sent at 3x the data packets. (so 30s for control and 10s for data)
config mobility group keepalive interval ?
Other than that, perhaps someone knows a checkpoint setting at fault.... but to Van's point, Checkpoint should be able to provide assistance