[fdamstra]

These are external users, assigned a .255 address by their ISP.

I agree with the theory that something is assuming that IP's ending in 255 are broadcasts and dropping them, but that would be a bug in that software, not anything wrong with the 255 address.

It's a bizarre problem. Checkpoint Support started off with "I find this hard to believe." And I don't blame them.

The user can get to web servers that are off other interfaces, even other VLAN'd interfaces off the same physical interface. So it's just this one particular VLAN that's having an issue. However, other users are able to communicate to web servers on this VLAN just fine. (to the tune of 30k+ hits/day)

And the capture from the switch shows SYN-ACK packets going out the interface to the firewall, but the capture from the firewall doesn't show these packets. So the problem has to be either the firewall or the switch. Since the switch is a standard L2 Cisco switch, it shouldn't even be looking at the IP address, so I have to blame the firewall.

Checkpoint is having me do a kernel debug next time I can arrange it with the user.