Unexplainable problem - unable to ping some hosts

Hi Viken,

This issue sounds like some problems on the LAN side, like duplicated IP address/wrong ARP on the firewall etc.

You could try the below steps to check further - 

1. Check in firewall's log viewer - switch to detailed view - search your IP address and see if there is any blocking by firewall rule or IPS rule
2. On the XG firewall Advanced Shell, use the command to check the arp table: arp -an. And check multiple times when the ping is working and not working and see if the ARP entry has the correct MAC address for your PC.
3. When do a continuous ping, ping 1.1.1.1 -t, do WireShark capture and tcpdump capture on XG firewall at the same time. Then retrieve the pcap file from XG firewall and analyze the captures on PC and firewall with WireShark. Pay attention to the destination MAC address of those non-working ping requests.
4. Test if the issue happens on another PC on the same LAN network

 Hi Captain,

Thank you for your answer, I will test what you wrote and will let you know.

But before that, let me add more precisions:

As I said, when I ping IP addresses which are matching another firewall rule which is on the top, the ping works well, here are my firewall rules:

And defailted view:

Main firewall rule:

and supervision rule: 

As you can see, in my supervision rule, I have host groups, with public IP addresses inside, when I ping one of those IP addresses, it matches this rule.

Now, a really weird thing about that :D -> If I add 8.8.8.8 or 8.8.4.4 or 1.1.1.1 in one of the host group, the ping to thoses IP is working again !!!!!! see:

I tested that from different PC on the network, from different VLANs, the issue is the same.
If I ping directly from the "diagnostics" pane of the XG, with Port3 Interface, there is no problem.

I'm about to think that this is a problem on the v18 build 354 firmware. I'm about to downgrade to the build 339 to see if the problem is present or not...

Adding a tcpdump puts the interface into https://en.wikipedia.org/wiki/Promiscuous_mode 

It could be a duplicated ARP, DHCP, IP Mapping within the Network. 

In Promiscuous Mode, the Interface will continue to talk to the current MAC. Therefore the Ping will success. Without this mode, the XG will likely get different MACs or the Switch will not interact anymore with the XG. 

Ok thanks for your answer.

But how can we explain that all the IP hosts which are on an IP host group which match the #7 firewall rule (even if I place 8.8.8.8 or 8.8.4.4 or 1.1.1.1 insde) are working good with ping???

Simply because XG will resolve the IP Host groups differently using an own cache. 

If you do not place the Host in the group, it will not work, because XG will lookup it freely at demand. 

If you place it into a host group, XG will create some sort of Cache for those hosts, so it does not have to ask the switch all the time. 

There is something wrong in the network, i guess. Thats my explanation for your issue. 

Maybe check the DOS Settings on XG, if you have ARP Forging activated. 

Ok thank you for your answer, I understand much more how it works now.

Here is the output of arp -an done on the XG firewall:

XG135w_XN03_SFOS 18.0.0 GA-Build354.HF042920# arp -an
? (192.168.10.14) at <incomplete> on Port1.10
? (192.168.10.135) at <incomplete> on Port1.10
? (192.168.10.48) at <incomplete> on Port1.10
? (192.168.10.169) at <incomplete> on Port1.10
? (192.168.10.34) at <incomplete> on Port1.10
? (10.16.16.9) at fc:15:b4:35:55:45 [ether] on Port1.30
? (192.168.10.91) at <incomplete> on Port1.10
? (192.168.10.212) at <incomplete> on Port1.10
? (192.168.10.77) at <incomplete> on Port1.10
? (192.168.10.198) at <incomplete> on Port1.10
? (172.16.16.3) at 00:d9:d1:f9:a2:1e [ether] on Port1.20
? (192.168.10.127) at <incomplete> on Port1.10
? (192.168.16.46) at 00:15:5d:10:04:37 [ether] on Port1
? (192.168.10.232) at <incomplete> on Port1.10
? (192.168.10.97) at <incomplete> on Port1.10
? (192.168.10.154) at <incomplete> on Port1.10
? (192.168.16.10) at 00:15:5d:10:05:5a [ether] on Port1
? (192.168.10.19) at <incomplete> on Port1.10
? (192.168.253.242) at <incomplete> on Port3
? (192.168.10.140) at <incomplete> on Port1.10
? (192.168.10.5) at <incomplete> on Port1.10
? (192.168.10.190) at <incomplete> on Port1.10
? (192.168.10.55) at <incomplete> on Port1.10
? (192.168.10.160) at <incomplete> on Port1.10
? (192.168.10.217) at <incomplete> on Port1.10
? (192.168.10.82) at <incomplete> on Port1.10
? (192.168.10.203) at <incomplete> on Port1.10
? (192.168.10.68) at <incomplete> on Port1.10
? (192.168.10.253) at 80:30:e0:6a:1e:c0 [ether] on Port1.10
? (192.168.10.118) at <incomplete> on Port1.10
? (192.168.10.239) at <incomplete> on Port1.10
? (192.168.10.24) at <incomplete> on Port1.10
? (192.168.10.145) at <incomplete> on Port1.10
? (192.168.10.10) at 7c:5a:1c:da:40:4d [ether] on Port1.10
? (192.168.10.131) at <incomplete> on Port1.10
? (192.168.10.60) at <incomplete> on Port1.10
? (192.168.10.181) at <incomplete> on Port1.10
? (192.168.10.46) at <incomplete> on Port1.10
? (192.168.10.167) at <incomplete> on Port1.10
? (192.168.10.208) at <incomplete> on Port1.10
? (10.16.16.7) at ec:8e:b5:cc:54:50 [ether] on Port1.30
? (192.168.10.73) at <incomplete> on Port1.10
? (192.168.16.48) at 70:85:c2:69:7a:1b [ether] on Port1
? (192.168.10.194) at <incomplete> on Port1.10
? (192.168.10.123) at <incomplete> on Port1.10
? (192.168.10.244) at <incomplete> on Port1.10
? (172.16.16.17) at 94:40:c9:12:08:d5 [ether] on Port1.20
? (192.168.10.109) at <incomplete> on Port1.10
? (192.168.10.230) at <incomplete> on Port1.10
? (192.168.10.31) at <incomplete> on Port1.10
? (172.16.16.253) at 00:15:5d:10:05:11 [ether] on Port1.20
? (192.168.10.136) at <incomplete> on Port1.10
? (192.168.10.1) at <incomplete> on Port1.10
? (192.168.1.65) at 3a:31:37:ad:06:d2 [ether] on Port5
? (192.168.10.186) at <incomplete> on Port1.10
? (192.168.10.51) at <incomplete> on Port1.10
? (192.168.10.172) at <incomplete> on Port1.10
? (192.168.10.37) at <incomplete> on Port1.10
? (192.168.10.94) at <incomplete> on Port1.10
? (192.168.10.215) at <incomplete> on Port1.10
? (192.168.10.64) at <incomplete> on Port1.10
? (192.168.10.249) at <incomplete> on Port1.10
? (172.16.16.12) at 94:18:82:0b:7f:9d [ether] on Port1.20
? (192.168.10.114) at <incomplete> on Port1.10
? (192.168.16.41) at 00:15:5d:10:06:20 [ether] on Port1
? (192.168.10.235) at <incomplete> on Port1.10
? (192.168.254.253) at 00:1a:8c:6f:6e:1b [ether] on Port6
? (192.168.10.100) at <incomplete> on Port1.10
? (192.168.10.157) at <incomplete> on Port1.10
? (192.168.10.22) at <incomplete> on Port1.10
? (192.168.10.143) at <incomplete> on Port1.10
? (10.16.17.15) at dc:a6:32:04:a7:0c [ether] on CORP
? (192.168.10.56) at <incomplete> on Port1.10
? (192.168.10.177) at <incomplete> on Port1.10
? (192.168.10.42) at <incomplete> on Port1.10
? (192.168.10.163) at <incomplete> on Port1.10
? (192.168.10.220) at <incomplete> on Port1.10
? (192.168.16.52) at 00:15:5d:10:04:05 [ether] on Port1
? (192.168.10.85) at <incomplete> on Port1.10
? (192.168.10.206) at <incomplete> on Port1.10
? (192.168.10.71) at <incomplete> on Port1.10
? (192.168.10.240) at <incomplete> on Port1.10
? (172.16.16.21) at 00:15:5d:10:04:01 [ether] on Port1.20
? (192.168.10.105) at <incomplete> on Port1.10
? (192.168.10.226) at <incomplete> on Port1.10
? (192.168.10.27) at <incomplete> on Port1.10
? (192.168.16.2) at 00:15:5d:10:05:5b [ether] on Port1
? (192.168.10.148) at <incomplete> on Port1.10
? (192.168.10.13) at <incomplete> on Port1.10
? (192.168.10.134) at <incomplete> on Port1.10
? (192.168.10.63) at <incomplete> on Port1.10
? (192.168.10.168) at <incomplete> on Port1.10
? (192.168.10.33) at <incomplete> on Port1.10
? (192.168.10.90) at <incomplete> on Port1.10
? (192.168.10.211) at <incomplete> on Port1.10
? (192.168.10.76) at <incomplete> on Port1.10
? (192.168.10.197) at <incomplete> on Port1.10
? (192.168.10.126) at <incomplete> on Port1.10
? (192.168.10.247) at <incomplete> on Port1.10
? (192.168.10.96) at <incomplete> on Port1.10
? (192.168.10.153) at <incomplete> on Port1.10
? (192.168.10.18) at <incomplete> on Port1.10
? (192.168.16.9) at 00:15:5d:10:05:5c [ether] on Port1
? (192.168.10.139) at <incomplete> on Port1.10
? (192.168.16.251) at 24:5e:be:07:f5:4b [ether] on Port1
? (192.168.10.4) at a0:8c:fd:e3:99:9f [ether] on Port1.10
? (192.168.10.189) at <incomplete> on Port1.10
? (192.168.10.54) at <incomplete> on Port1.10
? (192.168.10.175) at <incomplete> on Port1.10
? (192.168.10.216) at <incomplete> on Port1.10
? (192.168.10.81) at <incomplete> on Port1.10
? (192.168.10.202) at <incomplete> on Port1.10
? (192.168.10.67) at <incomplete> on Port1.10
? (192.168.10.252) at <incomplete> on Port1.10
? (192.168.10.117) at <incomplete> on Port1.10
? (192.168.100.16) at 80:5e:c0:45:6c:7e [ether] on Port1.100
? (192.168.10.238) at <incomplete> on Port1.10
? (192.168.10.103) at <incomplete> on Port1.10
? (192.168.16.6) at bc:30:5b:ee:31:95 [ether] on Port1
? (192.168.10.144) at <incomplete> on Port1.10
? (192.168.10.9) at <incomplete> on Port1.10
? (192.168.10.130) at <incomplete> on Port1.10
? (10.16.17.2) at 08:12:a5:6f:fa:43 [ether] on CORP
? (192.168.10.59) at <incomplete> on Port1.10
? (192.168.10.180) at <incomplete> on Port1.10
? (192.168.10.45) at <incomplete> on Port1.10
? (192.168.10.166) at <incomplete> on Port1.10
? (192.168.10.223) at <incomplete> on Port1.10
? (192.168.10.72) at <incomplete> on Port1.10
? (172.16.16.4) at 00:15:5d:10:05:58 [ether] on Port1.20
? (192.168.10.193) at <incomplete> on Port1.10
? (192.168.10.122) at <incomplete> on Port1.10
? (192.168.100.11) at 80:5e:c0:5e:a1:64 [ether] on Port1.100
? (192.168.10.243) at <incomplete> on Port1.10
? (172.16.16.22) at 00:15:5d:10:04:02 [ether] on Port1.20
? (192.168.10.108) at <incomplete> on Port1.10
? (192.168.10.229) at <incomplete> on Port1.10
? (192.168.10.30) at <incomplete> on Port1.10
? (192.168.16.13) at 00:15:5d:10:06:49 [ether] on Port1
? (192.168.10.151) at <incomplete> on Port1.10
? (192.168.10.185) at <incomplete> on Port1.10
? (192.168.10.50) at <incomplete> on Port1.10
? (192.168.10.171) at <incomplete> on Port1.10
? (192.168.10.36) at <incomplete> on Port1.10
? (192.168.10.93) at <incomplete> on Port1.10
? (192.168.10.214) at <incomplete> on Port1.10
? (192.168.10.79) at <incomplete> on Port1.10
? (192.168.10.248) at <incomplete> on Port1.10
? (192.168.100.12) at 80:5e:c0:45:02:e5 [ether] on Port1.100
? (192.168.10.113) at <incomplete> on Port1.10
? (192.168.10.234) at <incomplete> on Port1.10
? (192.168.10.99) at <incomplete> on Port1.10
? (192.168.10.156) at <incomplete> on Port1.10
? (192.168.10.21) at <incomplete> on Port1.10
? (192.168.10.142) at <incomplete> on Port1.10
? (192.168.10.7) at 9c:7b:ef:ad:c4:51 [ether] on Port1.10
? (192.168.10.176) at <incomplete> on Port1.10
? (192.168.10.41) at <incomplete> on Port1.10
? (192.168.10.162) at <incomplete> on Port1.10
? (192.168.10.219) at <incomplete> on Port1.10
? (192.168.10.84) at <incomplete> on Port1.10
? (192.168.10.205) at <incomplete> on Port1.10
? (192.168.10.70) at <incomplete> on Port1.10
? (172.16.16.10) at 00:15:5d:10:06:35 [ether] on Port1.20
? (192.168.10.104) at <incomplete> on Port1.10
? (192.168.10.225) at <incomplete> on Port1.10
? (192.168.10.26) at <incomplete> on Port1.10
? (192.168.16.1) at 00:15:5d:10:04:48 [ether] on Port1
? (192.168.10.147) at <incomplete> on Port1.10
? (192.168.10.12) at <incomplete> on Port1.10
? (192.168.10.133) at <incomplete> on Port1.10
? (192.168.16.100) at 00:15:5d:10:04:0c [ether] on Port1
? (192.168.10.62) at <incomplete> on Port1.10
? (192.168.10.183) at <incomplete> on Port1.10
? (192.168.10.32) at <incomplete> on Port1.10
? (192.168.10.89) at <incomplete> on Port1.10
? (192.168.10.210) at <incomplete> on Port1.10
? (192.168.10.75) at <incomplete> on Port1.10
? (8.8.8.8) at <incomplete> on Port1.100
? (192.168.10.196) at <incomplete> on Port1.10
? (192.168.10.125) at <incomplete> on Port1.10
? (192.168.16.44) at 00:1a:8c:df:c3:c8 [ether] on Port1
? (192.168.10.246) at <incomplete> on Port1.10
? (192.168.10.111) at <incomplete> on Port1.10
? (192.168.10.152) at <incomplete> on Port1.10
? (192.168.10.17) at <incomplete> on Port1.10
? (192.168.10.138) at <incomplete> on Port1.10
? (192.168.10.3) at <incomplete> on Port1.10
? (192.168.10.188) at <incomplete> on Port1.10
? (192.168.10.53) at <incomplete> on Port1.10
? (192.168.10.174) at <incomplete> on Port1.10
? (192.168.10.39) at <incomplete> on Port1.10
? (192.168.10.80) at <incomplete> on Port1.10
? (192.168.10.201) at <incomplete> on Port1.10
? (192.168.10.66) at <incomplete> on Port1.10
? (192.168.10.251) at <incomplete> on Port1.10
? (192.168.10.116) at <incomplete> on Port1.10
? (192.168.16.43) at 70:85:c2:4b:7c:e3 [ether] on Port1
? (192.168.10.237) at <incomplete> on Port1.10
? (192.168.10.102) at <incomplete> on Port1.10
? (192.168.16.5) at ac:16:2d:76:07:bc [ether] on Port1
? (192.168.10.159) at <incomplete> on Port1.10
? (192.168.10.8) at <incomplete> on Port1.10
? (192.168.10.129) at <incomplete> on Port1.10
? (192.168.10.58) at <incomplete> on Port1.10
? (192.168.10.179) at <incomplete> on Port1.10
? (192.168.10.44) at <incomplete> on Port1.10
? (192.168.10.165) at <incomplete> on Port1.10
? (192.168.10.222) at <incomplete> on Port1.10
? (192.168.10.87) at <incomplete> on Port1.10
? (192.168.16.54) at 70:85:c2:68:b5:82 [ether] on Port1
? (192.168.10.192) at <incomplete> on Port1.10
? (192.168.10.121) at <incomplete> on Port1.10
? (192.168.16.32) at 70:85:c2:49:62:00 [ether] on Port1
? (192.168.10.242) at <incomplete> on Port1.10
? (192.168.10.107) at <incomplete> on Port1.10
? (192.168.10.228) at <incomplete> on Port1.10
? (192.168.10.29) at <incomplete> on Port1.10
? (192.168.16.12) at 00:15:5d:10:05:10 [ether] on Port1
? (192.168.10.150) at <incomplete> on Port1.10
? (192.168.10.15) at <incomplete> on Port1.10
? (192.168.16.254) at 94:57:a5:53:b7:c0 [ether] on Port1
? (192.168.10.184) at <incomplete> on Port1.10
? (192.168.10.49) at <incomplete> on Port1.10
? (192.168.10.170) at <incomplete> on Port1.10
? (192.168.10.35) at <incomplete> on Port1.10
? (192.168.10.92) at <incomplete> on Port1.10
? (192.168.10.213) at <incomplete> on Port1.10
? (192.168.10.78) at <incomplete> on Port1.10
? (172.16.16.2) at 00:15:5d:10:06:07 [ether] on Port1.20
? (192.168.10.199) at <incomplete> on Port1.10
? (192.168.10.112) at <incomplete> on Port1.10
? (192.168.100.13) at <incomplete> on Port1.100
? (192.168.10.233) at <incomplete> on Port1.10
? (192.168.10.98) at <incomplete> on Port1.10
? (192.168.10.155) at <incomplete> on Port1.10
? (192.168.10.20) at <incomplete> on Port1.10
? (192.168.16.11) at 00:15:5d:10:06:4a [ether] on Port1
? (192.168.10.141) at <incomplete> on Port1.10
? (192.168.10.6) at <incomplete> on Port1.10
? (192.168.10.191) at <incomplete> on Port1.10
? (192.168.10.40) at <incomplete> on Port1.10
? (192.168.10.161) at <incomplete> on Port1.10
? (192.168.10.218) at <incomplete> on Port1.10
? (192.168.10.83) at <incomplete> on Port1.10
? (192.168.10.204) at <incomplete> on Port1.10
? (192.168.10.69) at <incomplete> on Port1.10
? (192.168.16.22) at 00:15:5d:10:06:0d [ether] on Port1
? (192.168.10.119) at <incomplete> on Port1.10
? (192.168.10.224) at <incomplete> on Port1.10
? (192.168.10.25) at <incomplete> on Port1.10
? (192.168.10.146) at <incomplete> on Port1.10
? (192.168.10.11) at <incomplete> on Port1.10
? (192.168.10.132) at <incomplete> on Port1.10
? (192.168.10.61) at <incomplete> on Port1.10
? (192.168.10.182) at <incomplete> on Port1.10
? (192.168.10.47) at <incomplete> on Port1.10
? (192.168.10.88) at <incomplete> on Port1.10
? (192.168.10.209) at <incomplete> on Port1.10
? (192.168.10.74) at <incomplete> on Port1.10
? (192.168.16.49) at 70:85:c2:4b:d7:9c [ether] on Port1
? (192.168.10.195) at <incomplete> on Port1.10
? (192.168.10.124) at <incomplete> on Port1.10
? (192.168.16.35) at 10:7b:44:49:18:3f [ether] on Port1
? (192.168.10.245) at <incomplete> on Port1.10
? (172.16.16.16) at 94:40:c9:12:08:d4 [ether] on Port1.20
? (192.168.10.110) at <incomplete> on Port1.10
? (192.168.16.29) at b0:6e:bf:2a:f6:63 [ether] on Port1
? (192.168.10.231) at <incomplete> on Port1.10
? (192.168.10.16) at <incomplete> on Port1.10
? (192.168.16.15) at 00:15:5d:10:05:59 [ether] on Port1
? (192.168.10.137) at <incomplete> on Port1.10
? (192.168.10.2) at ac:22:0b:c1:3b:76 [ether] on Port1.10
? (192.168.10.187) at <incomplete> on Port1.10
? (192.168.10.52) at <incomplete> on Port1.10
? (192.168.10.173) at <incomplete> on Port1.10
? (192.168.10.38) at <incomplete> on Port1.10
? (192.168.10.95) at <incomplete> on Port1.10
? (192.168.10.200) at <incomplete> on Port1.10
? (192.168.10.65) at <incomplete> on Port1.10
? (192.168.16.56) at 70:85:c2:6c:9a:35 [ether] on Port1
? (192.168.10.250) at <incomplete> on Port1.10
? (172.16.16.15) at 94:40:c9:12:08:d6 [ether] on Port1.20
? (192.168.10.115) at <incomplete> on Port1.10
? (192.168.16.42) at 00:15:5d:10:05:61 [ether] on Port1
? (192.168.10.236) at <incomplete> on Port1.10
? (192.168.10.101) at <incomplete> on Port1.10
? (192.168.16.4) at ac:16:2d:77:91:4d [ether] on Port1
? (8.8.8.8) at <incomplete> on Port3
? (192.168.10.158) at <incomplete> on Port1.10
? (192.168.10.23) at <incomplete> on Port1.10
? (192.168.253.254) at 22:14:4b:29:52:b7 [ether] on Port3
? (192.168.10.128) at <incomplete> on Port1.10
? (192.168.10.57) at <incomplete> on Port1.10
? (192.168.10.178) at <incomplete> on Port1.10
? (192.168.10.43) at <incomplete> on Port1.10
? (192.168.10.164) at <incomplete> on Port1.10
? (192.168.10.221) at <incomplete> on Port1.10
? (192.168.10.86) at <incomplete> on Port1.10
? (192.168.10.207) at <incomplete> on Port1.10
? (192.168.10.120) at <incomplete> on Port1.10
? (192.168.10.241) at <incomplete> on Port1.10
? (172.16.16.20) at 00:15:5d:10:04:00 [ether] on Port1.20
? (192.168.10.106) at <incomplete> on Port1.10
? (192.168.10.227) at <incomplete> on Port1.10
? (192.168.10.28) at <incomplete> on Port1.10
? (192.168.16.3) at 00:15:5d:10:04:49 [ether] on Port1
? (192.168.10.149) at <incomplete> on Port1.10

It is weird because all the Port1.10 (Vlan10) is "incomplete" on the mac address, and it has too much entries, because in this Vlan10 I have only 8 PC in this Vlan as we can see on the DHCP table: 

I never enabled Dos settings: 

Check the Dos & Spoof Protection and try some settings there. 

And as i said, something is broken in your Network. 

Maybe Port1.10 has a invalid VLAN settings and the switch is messing up the packets. Looping etc.

My Dos & Spoof Protection settings are all disabled and default:

Yes but I cannot understand what is broken, I didn't modify something since few months and everything was working well...

The issue of pinging external networks is not only from Port1.10 Vlan, but from Port1 default lan too. (From Vlan20 Port1.20, no issue)

Try to disable Redirect ICMP Packets in DOS Protection.

But this still leaves the issue open.

Maybe something is broken with this Port. 

You should investigate the real switch config. Maybe not you but somebody else reconfigured something in the Switching or plugged in another cable. 

I disabled redirect ICMP, issue still the same.

I'm investigating but i'm not finding anything...

Maybe the "cache" of XG you were talking about is corrupted ? What do you think about this possibility ?

Any way to "clear" it ?

Because If I ping an IP that matches the #7 firewall rule, the issue is not present, but the PC from which i'm pinging is still in the port1.10 vlan...

I disabled redirect ICMP, issue still the same.

I'm investigating but i'm not finding anything...

Maybe the "cache" of XG you were talking about is corrupted ? What do you think about this possibility ?

Any way to "clear" it ?

Because If I ping an IP that matches the #7 firewall rule, the issue is not present, but the PC from which i'm pinging is still in the port1.10 vlan...

More details after some tests:

I rebooted our main ISP modem (Port3 of XG), and during the reboot, our XG saw that Port3 was down in wan link manager, so the link was failover to Port4 (backup ISP), and during all the process where the 2nd ISP was active, the ping was OK from my PC to 8.8.8.8 without any loss...

Then main ISP link (Port3) came back, the ping was still OK to many hosts on the internet, and then after 2 or 3 minutes the ping timed out again...

Do you still think there is a problem on internal ARP or dupplicate IP ?

Thank for your advices...

Hi VikenNajarian 

Could you please unplug the Port3 for ISP for testing purpose and check what is the status of the issue?

Could you please enable fsck once from the console and reboot the firewall?

Hello Guys,

I have resolved the issue, but I resolved it by a weird way.

I remembered that when I migrated from v17 to v18, I read about FastPath on internet, this was few weeks ago...

Then I saw that it was about the "system firewall-acceleration" option that we have to enable.

So few weeks ago I enabled this feature, and then just to test, I have disabled it right now, and then the ping is working again !!!!

So maybe it explains why when I was pinging from Vlan20 it was working. (the only rule for Vlan20 was to use webproxy instead of DPI)

And then when I was pinging from Vlan 1, 10 and 30, the ping wasnt working (the rule for those Vlan was set to use DPI instead of web proxy).

So the real issue is there, and not about ARP or duplicate issue. So what's wrong? Should we enable "system firewall-acceleration" option? Is there a problem about DPI?

Thanks.

Hi VikenNajarian 

Based on last update it seems Fast path / DPI creating some problem. To be more sure can you confirm are you getting consistent PING result without drop all the time with below test scenario:

1) PING result when you disable  firewall-acceleration, 

2) PING result when firewall-acceleration is on but tcpdump command running during PING  on XG CLI or UI.

3) PING result with firewall-acceleration is on and IPS service off

If all above 3 giving proper result for PING for multiple test then there is some issue with fast path and DPI and this may required further investigation with support case.

Hi Vishal,

Here are the results to the tests you asked:

1) Ping is OK

2) Ping is OK

3) Ping is NOT OK

When I enable firewall-acceleration the ping is broken again, even if I stop the IPS Service of the XG.

The ping traffic is allowed by a rule which is configured to use DPI engine instead of web-proxy.

Thanks.

Hi VikenNajarian 

Thanks for quick update on test result. Can you confirm is there any error and warning level messages under syslog.log when PING drops getting observed? Also in the rule if you switch web proxy from DPI then PING Is working fine then problem should be DPI or fast path only.

Hi Vishal,

what is the right way to analyze syslog.log without having an epileptic crisis ??? :D The information is transitting so fast when I do a cat syslog.log command.

I switched to web proxy with firewall-acceleration enabled and ping is still droping.

But a thing is still weird, when firewall-acceleration is enabled and my traffic is passing through my backup internet link, the ping is still working, so the firewall-acceleration seems to be incompatible only with my main internet link on port3, wich is static IP going to a MPTCP router connected to a VPS with 3 links (2 Adsl + 1 4G) to have 1 public IP and aggregated speed.

And the 2nd link is Adsl configured on PPPOE directly on the XG.

Use tools like "less" to visit the logs in Linux Systems. Or More, but i prefer less. 

https://linuxize.com/post/less-command-in-linux/

Another points out of my head: You are talking about Ping, but what about TCP/UDP connections? Do they work? Telnet Port 53, Telnet Port 443, Wget 443 etc. 

Could you show us your SD-WAN Policies? 

Thanks for the tip for "less".

I have no problem with other traffic because we used the firewall for a couple of weeks without issues with the firewall-acceleration option enabled, and I don't ping IP hosts every days, so I just noticed that it wasn't working about the ping issues.

Here is the output of syslog.log :

May 2 20:40:59 (none) auth.info cish: session opened from console
May 2 20:41:23 (none) user.info kernel: [112817.502877] ustk: mmap closed for u stdev
May 2 20:41:23 (none) user.info kernel: [112817.502883] ustk: Deleted vma ffff8 8019a974540 from list
May 2 20:41:23 (none) user.err kernel: [112817.502887] 1028:appdev_vma_close:si ze 2031616
May 2 20:41:23 (none) user.err kernel: [112817.502978] 758:appdev_release:dev o pen 1
May 2 20:41:23 (none) user.err kernel: [112817.502980] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502981] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502983] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502984] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502985] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502986] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502987] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502988] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502989] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502990] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502990] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502991] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502992] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502993] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502994] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502995] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502996] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502997] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.502998] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.502999] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.503000] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.503001] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.503002] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.info kernel: [112817.504080] ustk: Closed the mmap d ev
May 2 20:41:23 (none) user.info kernel: [112817.510222] ustk: mmap closed for u stdev
May 2 20:41:23 (none) user.info kernel: [112817.510227] ustk: Deleted vma ffff8 801ee0d69c0 from list
May 2 20:41:23 (none) user.err kernel: [112817.510231] 1028:appdev_vma_close:si ze 2031616
May 2 20:41:23 (none) user.err kernel: [112817.510350] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510352] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510353] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510356] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510357] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510357] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510358] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510359] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510360] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510361] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510362] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510363] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510364] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510365] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510366] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510367] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510368] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510369] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510370] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510371] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510372] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510373] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.510374] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.510374] 774:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.info kernel: [112817.511113] ustk: Closed the mmap d ev
May 2 20:41:23 (none) user.err kernel: [112817.522160] 1028:appdev_vma_close:si ze 2031616
May 2 20:41:23 (none) user.err kernel: [112817.522307] 758:appdev_release:dev o pen 0
May 2 20:41:23 (none) user.err kernel: [112817.522309] 771:appdev_release:count er 7 size 128
May 2 20:41:23 (none) user.err kernel: [112817.522310] 774:appdev_release:dev o pen 0
May 2 20:41:25 (none) user.err kernel: [112818.846285] nf_conntrack_ipslb: unlo aded
May 2 20:41:25 (none) user.info kernel: [112819.445616] manage_fastpath (32453) : drop_caches: 3
May 2 20:41:26 (none) user.info kernel: [112819.729886] 886.050561 [3619] netma p_attach_common host0: rx_buf_maxsize not set, set to 2048
May 2 20:41:26 (none) user.err kernel: [112819.729889] 886.050570 [1447] netmap _vale_vp_create autodetect mem pools for virt port host0
May 2 20:41:26 (none) user.err kernel: [112819.729891] 886.050572 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.729893] 886.050574 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.info kernel: [112819.731775] 886.052455 [3619] netma p_attach_common host1: rx_buf_maxsize not set, set to 2048
May 2 20:41:26 (none) user.err kernel: [112819.731778] 886.052460 [1447] netmap _vale_vp_create autodetect mem pools for virt port host1
May 2 20:41:26 (none) user.err kernel: [112819.731780] 886.052461 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.731781] 886.052463 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.info kernel: [112819.733756] 886.054434 [3619] netma p_attach_common host2: rx_buf_maxsize not set, set to 2048
May 2 20:41:26 (none) user.err kernel: [112819.733758] 886.054440 [1447] netmap _vale_vp_create autodetect mem pools for virt port host2
May 2 20:41:26 (none) user.err kernel: [112819.733760] 886.054441 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.733761] 886.054443 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.err kernel: [112819.735074] 886.055753 [1447] netmap _vale_vp_create autodetect mem pools for virt port host3
May 2 20:41:26 (none) user.err kernel: [112819.735079] 886.055760 [1150] netmap _mem_incr_ring_pool increasing ring pool by 4
May 2 20:41:26 (none) user.err kernel: [112819.735081] 886.055762 [1136] netmap _mem_incr_buf_pool increasing buf pool by 12288
May 2 20:41:26 (none) user.info kernel: [112819.832064] 886.152737 [2290] netma p_do_regif vale0:Port1: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112819.832073] 886.152753 [2313] netma p_do_regif vale0:Port1: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.061173] 886.381846 [2290] netma p_do_regif vale0:Port2: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.061181] 886.381858 [2313] netma p_do_regif vale0:Port2: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.077878] 886.398550 [2290] netma p_do_regif vale0:Port3: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.077886] 886.398563 [2313] netma p_do_regif vale0:Port3: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.552617] 886.873284 [2290] netma p_do_regif vale0:Port5: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.552624] 886.873296 [2313] netma p_do_regif vale0:Port5: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:26 (none) user.info kernel: [112820.631253] 886.951920 [2290] netma p_do_regif vale0:Port6: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:26 (none) user.info kernel: [112820.631261] 886.951932 [2313] netma p_do_regif vale0:Port6: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:27 (none) user.info kernel: [112820.705947] 887.026612 [2290] netma p_do_regif vale0:Port7: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:41:27 (none) user.info kernel: [112820.705953] 887.026623 [2313] netma p_do_regif vale0:Port7: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:41:27 (none) user.info kernel: [112820.910029] device host0 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.912789] device host1 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.914408] device host2 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.915979] device host3 entered pr omiscuous mode
May 2 20:41:27 (none) user.info kernel: [112820.937733] vfp info: vfp_init:121: Initalizing vfp_firewall offloads...
May 2 20:41:27 (none) user.info kernel: [112820.938367] vfp info: vfp_firewall_ debugfs_init:112: Initializing vfp_firewall debugfs...
May 2 20:41:27 (none) user.info kernel: [112820.938383] vfp info: vfp_mflow_tab le_init:535: Initializing Micro Flow table library
May 2 20:41:27 (none) user.info kernel: [112820.938384] vfp info: vfp_mflow_tab le_init:537: -- Supporting up to 3000000 Micro Flow table entries using 1048576 buckets
May 2 20:41:27 (none) user.info kernel: [112820.944191] vfp info: vfp_mflow_tab le_init:554: -- Hash table addr: ffffffffa28a9fc0, free table addr: ffffffffa28 a97a0
May 2 20:41:27 (none) user.info kernel: [112820.955039] vfp info: vfp_mflow_tim eout_thread_start:64: Micro Flow timeout thread ffff8801ec762280 created success fully
May 2 20:41:27 (none) user.info kernel: [112820.955058] vfp info: vale_ports_ma p_table_init:260: Initializing VALE ports mapping table for bridge vale0:
May 2 20:41:27 (none) user.info kernel: [112820.955064] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port1 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955069] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port2 index 1
May 2 20:41:27 (none) user.info kernel: [112820.955072] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port3 index 2
May 2 20:41:27 (none) user.info kernel: [112820.955075] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port4 index 3
May 2 20:41:27 (none) user.info kernel: [112820.955078] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port5 index 4
May 2 20:41:27 (none) user.info kernel: [112820.955081] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port6 index 5
May 2 20:41:27 (none) user.info kernel: [112820.955084] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port7 index 6
May 2 20:41:27 (none) user.info kernel: [112820.955087] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port8 index 7
May 2 20:41:27 (none) user.info kernel: [112820.955089] vfp info: vale_ports_ma p_table_init:326: Adding LIF for Port9 index 8
May 2 20:41:27 (none) user.info kernel: [112820.955100] vfp info: vale_ports_ma p_table_init:367: VALE ports discovered and mapped for bridge vale0:
May 2 20:41:27 (none) user.info kernel: [112820.955101] vfp info: vale_ports_ma p_table_init:368: Attched ports count: 22
May 2 20:41:27 (none) user.info kernel: [112820.955102] vfp info: vale_ports_ma p_table_init:369: First host port: 18
May 2 20:41:27 (none) user.info kernel: [112820.955104] vfp info: vale_ports_ma p_table_init:377: Port 0: "vale0:Port1", Phys port 0. <=> Vale Stack 1, val e0:Port1^
May 2 20:41:27 (none) user.info kernel: [112820.955106] vfp info: vale_ports_ma p_table_init:382: Port 1: "vale0:Port1^", Stack port. <=> Vale Phys 0, vale 0:Port1
May 2 20:41:27 (none) user.info kernel: [112820.955107] vfp info: vale_ports_ma p_table_init:377: Port 2: "vale0:Port2", Phys port 1. <=> Vale Stack 3, val e0:Port2^
May 2 20:41:27 (none) user.info kernel: [112820.955108] vfp info: vale_ports_ma p_table_init:382: Port 3: "vale0:Port2^", Stack port. <=> Vale Phys 2, vale 0:Port2
May 2 20:41:27 (none) user.info kernel: [112820.955110] vfp info: vale_ports_ma p_table_init:377: Port 4: "vale0:Port3", Phys port 2. <=> Vale Stack 5, val e0:Port3^
May 2 20:41:27 (none) user.info kernel: [112820.955111] vfp info: vale_ports_ma p_table_init:382: Port 5: "vale0:Port3^", Stack port. <=> Vale Phys 4, vale 0:Port3
May 2 20:41:27 (none) user.info kernel: [112820.955112] vfp info: vale_ports_ma p_table_init:377: Port 6: "vale0:Port4", Phys port 3. <=> Vale Stack 7, val e0:Port4^
May 2 20:41:27 (none) user.info kernel: [112820.955114] vfp info: vale_ports_ma p_table_init:382: Port 7: "vale0:Port4^", Stack port. <=> Vale Phys 6, vale 0:Port4
May 2 20:41:27 (none) user.info kernel: [112820.955115] vfp info: vale_ports_ma p_table_init:377: Port 8: "vale0:Port5", Phys port 4. <=> Vale Stack 9, val e0:Port5^
May 2 20:41:27 (none) user.info kernel: [112820.955116] vfp info: vale_ports_ma p_table_init:382: Port 9: "vale0:Port5^", Stack port. <=> Vale Phys 8, vale 0:Port5
May 2 20:41:27 (none) user.info kernel: [112820.955118] vfp info: vale_ports_ma p_table_init:377: Port 10: "vale0:Port6", Phys port 5. <=> Vale Stack 11, va le0:Port6^
May 2 20:41:27 (none) user.info kernel: [112820.955119] vfp info: vale_ports_ma p_table_init:382: Port 11: "vale0:Port6^", Stack port. <=> Vale Phys 10, val e0:Port6
May 2 20:41:27 (none) user.info kernel: [112820.955121] vfp info: vale_ports_ma p_table_init:377: Port 12: "vale0:Port7", Phys port 6. <=> Vale Stack 13, va le0:Port7^
May 2 20:41:27 (none) user.info kernel: [112820.955122] vfp info: vale_ports_ma p_table_init:382: Port 13: "vale0:Port7^", Stack port. <=> Vale Phys 12, val e0:Port7
May 2 20:41:27 (none) user.info kernel: [112820.955123] vfp info: vale_ports_ma p_table_init:377: Port 14: "vale0:Port8", Phys port 7. <=> Vale Stack 15, va le0:Port8^
May 2 20:41:27 (none) user.info kernel: [112820.955125] vfp info: vale_ports_ma p_table_init:382: Port 15: "vale0:Port8^", Stack port. <=> Vale Phys 14, val e0:Port8
May 2 20:41:27 (none) user.info kernel: [112820.955126] vfp info: vale_ports_ma p_table_init:377: Port 16: "vale0:Port9", Phys port 8. <=> Vale Stack 17, va le0:Port9^
May 2 20:41:27 (none) user.info kernel: [112820.955127] vfp info: vale_ports_ma p_table_init:382: Port 17: "vale0:Port9^", Stack port. <=> Vale Phys 16, val e0:Port9
May 2 20:41:27 (none) user.info kernel: [112820.955128] vfp info: vale_ports_ma p_table_init:385: Port 18: "vale0:host0", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955129] vfp info: vale_ports_ma p_table_init:385: Port 19: "vale0:host1", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955130] vfp info: vale_ports_ma p_table_init:385: Port 20: "vale0:host2", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955132] vfp info: vale_ports_ma p_table_init:385: Port 21: "vale0:host3", Host port
May 2 20:41:27 (none) user.info kernel: [112820.955133] vfp info: vale_ports_ma p_table_init:389: VALE ports mapping physical to vale for bridge vale0::
May 2 20:41:27 (none) user.info kernel: [112820.955135] vfp info: vale_ports_ma p_table_init:394: Phys 0 <-> Vale 0 (vale0:Port1)
May 2 20:41:27 (none) user.info kernel: [112820.955136] vfp info: vale_ports_ma p_table_init:394: Phys 1 <-> Vale 2 (vale0:Port2)
May 2 20:41:27 (none) user.info kernel: [112820.955137] vfp info: vale_ports_ma p_table_init:394: Phys 2 <-> Vale 4 (vale0:Port3)
May 2 20:41:27 (none) user.info kernel: [112820.955138] vfp info: vale_ports_ma p_table_init:394: Phys 3 <-> Vale 6 (vale0:Port4)
May 2 20:41:27 (none) user.info kernel: [112820.955139] vfp info: vale_ports_ma p_table_init:394: Phys 4 <-> Vale 8 (vale0:Port5)
May 2 20:41:27 (none) user.info kernel: [112820.955140] vfp info: vale_ports_ma p_table_init:394: Phys 5 <-> Vale 10 (vale0:Port6)
May 2 20:41:27 (none) user.info kernel: [112820.955141] vfp info: vale_ports_ma p_table_init:394: Phys 6 <-> Vale 12 (vale0:Port7)
May 2 20:41:27 (none) user.info kernel: [112820.955142] vfp info: vale_ports_ma p_table_init:394: Phys 7 <-> Vale 14 (vale0:Port8)
May 2 20:41:27 (none) user.info kernel: [112820.955144] vfp info: vale_ports_ma p_table_init:394: Phys 8 <-> Vale 16 (vale0:Port9)
May 2 20:41:27 (none) user.info kernel: [112820.955156] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 100 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955159] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 10 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955160] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 20 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955162] vfp info: vfp_netdevadd _event:188: Adding VLAN LIF for Port1 30 index 0
May 2 20:41:27 (none) user.info kernel: [112820.955168] vfp info: vfp_worker_in it:280: Init worker mode0 lb_dest=1...
May 2 20:41:27 (none) user.info kernel: [112820.955184] vfp info: vfp_mflow_tim eout_thread_fn:103: Micro Flow timeout thread started...
May 2 20:41:28 (none) user.info kernel: [112821.994711] sh (509): drop_caches: 3
May 2 20:41:28 (none) user.info kernel: [112822.194411] ixgbe_nm 0000:0c:00.1 P ort4: NIC Link is Up 100 Mbps, Flow Control: RX/TX
May 2 20:41:30 (none) user.info kernel: [112823.728187] ixgbe_nm 0000:0c:00.0 P ort3: NIC Link is Up 1 Gbps, Flow Control: None
May 2 20:41:30 (none) user.info kernel: [112823.811225] igb_nm 0000:03:00.0 Por t6: igb: Port6 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
May 2 20:41:30 (none) user.info kernel: [112823.854918] ixgbe_nm 0000:0b:00.0 P ort1: NIC Link is Up 1 Gbps, Flow Control: None
May 2 20:41:30 (none) user.info kernel: [112824.175457] igb_nm 0000:02:00.0 Por t5: igb: Port5 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
May 2 20:42:01 (none) user.err kernel: [112855.072762] 729:appdev_open:dev open 0 1d
May 2 20:42:01 (none) user.err kernel: [112855.072765] 750:appdev_open:dev open 1
May 2 20:42:01 (none) user.err kernel: [112855.072768] 814:appdev_ioctl:dev siz e 2031616
May 2 20:42:01 (none) user.err kernel: [112855.072790] 1044:appdev_mmap:start s ize 2031616
May 2 20:42:01 (none) user.err kernel: [112855.072820] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.err kernel: [112918.756571] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.err kernel: [112918.774577] 1028:appdev_vma_close:si ze 2031616
May 2 20:43:05 (none) user.info kernel: [112918.924042] nfnetmap_queue loaded w ith [queues=2, queue_entries=10240, tx_slots=512 rx_slots=512]
May 2 20:43:05 (none) user.info kernel: [112918.924386] 985.244006 [1902] netma p_mem_private_new req if 10*1024 ring 20*20480 buf 10242*2048
May 2 20:43:05 (none) user.info kernel: [112918.924392] 985.244014 [3619] netma p_attach_common spq: rx_buf_maxsize not set, set to 2048
May 2 20:43:05 (none) user.info kernel: [112918.924397] 985.244018 [3619] netma p_attach_common spq{0: rx_buf_maxsize not set, set to 2048
May 2 20:43:05 (none) user.info kernel: [112918.930692] 985.250308 [2290] netma p_do_regif spq{0: lut ffffc90000359000 bufs 10242 size 2048
May 2 20:43:05 (none) user.info kernel: [112918.930760] nfnetmap_queue successf ully created instance 'spq{0' [buffer size:2048]
May 2 20:43:05 (none) user.info kernel: [112918.930898] 985.250519 [3619] netma p_attach_common spq{1: rx_buf_maxsize not set, set to 2048
May 2 20:43:05 (none) user.info kernel: [112918.930904] 985.250525 [2290] netma p_do_regif spq{1: lut ffffc90000359000 bufs 10242 size 2048
May 2 20:43:05 (none) user.info kernel: [112918.930956] nfnetmap_queue successf ully created instance 'spq{1' [buffer size:2048]
May 2 20:43:05 (none) user.err kernel: [112918.939118] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.info kernel: [112918.941651] ustk: Opened the mmap d ev
May 2 20:43:05 (none) user.info kernel: [112918.941657] ustk: MMAP of size 1073 745920
May 2 20:43:05 (none) user.err kernel: [112918.949775] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:05 (none) user.info kernel: [112918.952577] ustk: Opened the mmap d ev
May 2 20:43:05 (none) user.info kernel: [112918.952585] ustk: MMAP of size 1073 745920
May 2 20:43:05 (none) daemon.notice snort[2228]: netmap daq initialized success fully.....
May 2 20:43:05 (none) daemon.notice snort[2227]: netmap daq initialized success fully.....
May 2 20:43:05 (none) daemon.notice snort[2228]: nmsp daq initialized successfu lly.....
May 2 20:43:05 (none) daemon.notice snort[2227]: nmsp daq initialized successfu lly.....
May 2 20:43:05 (none) daemon.notice snort[2227]: SSL daq initialized successful ly.....
May 2 20:43:05 (none) daemon.notice snort[2228]: SSL daq initialized successful ly.....
May 2 20:43:05 (none) daemon.notice snort[2227]: LWP daq initialized successful ly.....
May 2 20:43:05 (none) daemon.notice snort[2228]: LWP daq initialized successful ly.....
May 2 20:43:06 (none) user.info kernel: [112920.614278] 986.933876 [2290] netma p_do_regif vale0:host1: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:43:06 (none) user.info kernel: [112920.614282] 986.933885 [2313] netma p_do_regif vale0:host1: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:43:06 (none) user.info kernel: [112920.614832] 986.934430 [2290] netma p_do_regif vale0:host0: lut ffffc90002081000 bufs 75776 size 2048
May 2 20:43:06 (none) user.info kernel: [112920.614836] 986.934440 [2313] netma p_do_regif vale0:host0: mtu 1500 rx_buf_maxsize 2048 netmap_buf_size 2 048
May 2 20:43:06 (none) user.info kernel: [112920.615516] 986.935118 [2290] netma p_do_regif spq}1: lut ffffc90000359000 bufs 10242 size 2048
May 2 20:43:07 (none) user.err kernel: [112920.735694] 1020:appdev_vma_open:siz e 2031616
May 2 20:43:07 (none) user.err kernel: [112920.755667] 1028:appdev_vma_close:si ze 2031616
May 2 20:43:07 (none) user.err kernel: [112920.883372] nf_conntrack_ipslb : loa ded with q_start 0 q_end 1 lb_algo(0: Round Robin, 1: CPU fan-out) 0
May 2 20:43:16 (none) auth.info cish: Session closed from console

I started to ping 8.8.8.8 at 20h40, then enabled firewall-acceleration at 20h41, and ping timed out when I had the message "system firewall-acceleration enabled successfully".

I recreateded my SD-WAN rules for each firewall rule I have to correspond of what I had on v17 (some source IP to some dst IP with some ports from this gateway etc...)

Can you show us your route precedence? 

http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html