The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: fw_init_xlation: ld_set forward failed

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

The following messages appear when FireWa--1 is attempting to perform address translation on a service or protocol where address translation is not supported:

    fw: fw_xlate_forw: failed to initalize the connection 
    fw: fw_init_xlation: ld_set forward failed

Check your FireWall-1 logs to see which service in particular that is causing that error. It will be listed as something that was accepted. SNMP and GRE are common culprits, though anything may cause the error.

Sometimes, you will see this error message because you are running out of kernel memory. You will usually see messages to this effect at the same time. This can be fixed by following the steps in the following FAQ: halloc: memory exhausted

Some sites have reported that a trojan horse on their network that appears to do a portscan to specific sites. This trojan is documented at If this trojan horse has been installed on a machine behind your network and that machine is subject to HIDE-mode translation, it is possible that it will cause this error message to occur over and over on your firewall and prevent legitimate users from initiating connections through the firewall. Another way to achieve the same effect is to use a port scanning program through the firewall from a host subject to HIDE-mode NAT.

You might also see this problem if you are close to the limit of 25,000 simultaneous connections. It may be caused by the trojan horse mentioned above or it may be caused by legitimate use. To check to see how close you are, check the output of the following commands:

    fw tab -t connections -s 
    fw tab -t fwx_forw -s 
    fw tab -t fwx_backw -s

If the #VALS for any of these commands is close to 25,000, you should consider bumping up the number of connections allowed. See Increasing Number of Connections Allowed for details on how to do this.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.