ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable to establish SIC on a VAP group with a single member


Article ID: 168135


Updated On:




Customers may experience a problem establishing SIC after a new installation when configuring the management circuit without the increment-per-vap parameter. This article discusses proper configuration of management and synchronization circuits for Check Point application.After installing the Check Point application on a single member VAP group, customer is unable to establish SIC. A ping from the VAP to the Check Point management station may work, but Check Point management traffic (SIC) to the VAP is dropped by the NPM with the Drop reason "Load-balance failed".


When configuring management and synchronization circuits, it is necessary to use the parameter increment-per-vap. The management and synchronization circuits must be configured with the increment-per-vap parameter, even if the VAP group contains only one VAP.

Otherwise the NPM drops packets to the VAP when the application monitor reports an application failure. Since the Check Point application cannot be ready before SIC (and the first policy installation), the NPM drops the packets and it is impossible to establish SIC.


The solution is to include the 'increment-per-vap' keyword which instructs the NPM to always pass the traffic for the specified destination IP address. The NPM applies another flow rule for increment-per-vap addreses which has a higher priority than the usual load-balance flow rule.

Example configuration of the management circuit with a single VAP:

circuit mgmt
device-name mgmt
vap-group fw
ip increment-per-vap


You can temporarily disable application monitoring on the VAP group to enable traffic load balancing regardless the application state.