topic ESP traffic dropped by remote party in Firewall and Security Management

ESP traffic dropped by remote party

Wesley_van_der_ — Thu, 30 Jul 2020 07:47:34 GMT

Hi CheckMates,

In a Cluster environment (R80.30) we have a new internet connection and our first task is to migrate the VPN's to the second internet connection. We succesfully did that for multiple VPN's now, but only 2 VPN's have the same issue. I have to say that the new internet connection is a little bit special, since the IP addres of the external interface is used for a transit network with our ISP. The real public IP is on another interface and the ISP routes it to the firewall cluster.

For the last 2 VPN's, we do get succesfully a P1 and P2. Also the remote party is able to sent traffic to us. We can see that traffic in the logs getting decrypted and confirmed that with a packet capture on the Check Point. Unfortunately all the traffic we sent to the remote party, is dropped on the Cisco ASA because the ESP traffic is received on the side from our new external interface ip (the ip used for transit between our Check Point and ISP).

So this is a legitimate reason to drop our traffic of course. But how can we force the Check Point to sent ESP packets with the right source ip adres? Why do only have 2 of the 7 VPN's this issue?

I first thought that it had something to do with routing or link selection. But if that is the case, I do not understand why this setup works for the other 5 VPN's.

Thank you in advance!

Regards,

Wesley

Re: ESP traffic dropped by remote party

Timothy_Hall — Thu, 30 Jul 2020 14:22:01 GMT

Please post the settings from these screens in your configuration, feel free to redact IP addresses as needed. Also is the Main Address on the General Properties screen of the firewall/cluster object set to the transit address or the VPN IP address? Are any of the other working 5 VPNs Cisco?

Re: ESP traffic dropped by remote party

funkylicious — Thu, 30 Jul 2020 14:50:56 GMT

Hi,

IKEv2 ?

If so, I suggest changing to IKEv1

https://community.checkpoint.com/t5/General-Topics/VPN-issue-with-IKEv2-and-Cisco-ASA/m-p/64830#M13243

https://community.checkpoint.com/t5/Next-Generation-Firewall/Site-to-Site-VPN-Check-Point-R80-10-to-Cisco-ASA-Troubleshooting/td-p/22021

Re: ESP traffic dropped by remote party

Wesley_van_der_ — Mon, 03 Aug 2020 06:04:36 GMT

Hi Timothy,

The IP address shown in SmartConsole is a RFC1918 address which is used for the MPLS connection to branch offices. There is also a VPN configured on this interface with the branch offices.

Above you find our current settings. TAC advised us to change the Respond Traffic setting to "use outgoing traffic configuration" instead of "Reply from the same interface".

I thought that these were the only VPN's with a Cisco device, but not 100% sure.

Regards,

Wesley

Re: ESP traffic dropped by remote party

Wesley_van_der_ — Mon, 03 Aug 2020 06:05:40 GMT

All tunnels are IKEv1.

Re: ESP traffic dropped by remote party

Timothy_Hall — Mon, 03 Aug 2020 15:40:47 GMT

On the Interoperable Device objects representing the Ciscos that are having the problem, what is Link Selection set for there?

Re: ESP traffic dropped by remote party

Darren_Fine — Tue, 19 Jan 2021 22:36:07 GMT

Hi Wesley_van_der,

I believe I am experiencing the same issue- did you ever get a solution to this ?

Let me know.