Strange behaviour after R80.20 upgrade

Andrew — Fri, 26 Apr 2019 02:26:50 GMT

Hi,

After completing in-place upgrading our ClusterXL pair from R80.10 to R80.20 we are now experiencing some VPN traffic issues.

We have 14 VPN tunnels between Cisco 887 routers (all in the same community) and they were all working perfectly prior to the upgrade.

After the upgrade we are seeing the following 2 scenarios:

Issue 1: GRE Tunnels stop working when a policy is installed. (Similar to issue 2)

Configuration:

[GRE Router] – [FW CLUSTER] ------- vpn ------- [Cisco 887] --- [Cisco switch]

|___________________ GRE Tunnel ___________________|

When a policy is installed the sites that utilize a GRE across the VPN’s stop working. They will start working again after a variable time ranging from several minutes/hours.

I can get them working immediately again by failing the cluster to the standby member. I can then fail back and everything keeps working.

While it is experiencing the Issue:

- SSH through the VPN works to the Cisco 887 devices.

- Pings work to the Cisco switch interface.

- Other traffic does not get to the Cisco Switch interface. The Cisco switch interface is the GRE tunnel end point so GRE tunnel drops.

Issue 2: VPN Sites with only a Cisco 887

Configuration:

[FW CLUSTER] ------- vpn ------- [Cisco 887] – [Devices e.g. UPS, Cardax]

All VPN links are stating they are up and ping traffic works to all devices. Several sites (not all) are having the below issues where traffic does not work.

- SSH and telnet to the Cisco 887 across the VPN does not work.

- Telnet SSH and HTTP does not work to the UPS connected to the Cisco 887.

- Ping is successful across the VPN to the Cisco 887 and the UPS.

- Disabling SecureXL – all the above traffic works

- Enabling SecureXL – New connections stop working. Existing sessions (e.g. SSH) continue to work.

The following will usually resolve the issue:

- selecting ‘vpn tu’ - Option 7 – Delete all IPsec+IKE SAs for a given peer (GW)

Sometimes the above doesn't work and it may work by selecting option 5 after doing option 7

I have just logged a case with checkpoint.

If anyone has any ideas or has seen this before I'd appreciate any assistance as I'm not sure what to do next?

Also:

Rebooting the Cisco 887 does not resolve the issue.

Both firewalls in the cluster have been rebooted (they were done separately – I have not rebooted both at the same time)

Re: Strange behaviour after R80.20 upgrade

Andrew — Sun, 28 Apr 2019 22:18:47 GMT

About to test this to see if it resolves the issue:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk148872

Re: Strange behaviour after R80.20 upgrade

andy_currigan — Tue, 24 Sep 2019 12:17:33 GMT

HI Andrew,

After upgrading to r80.20 I experience Issue 1: GRE Tunnels stop working when a policy is installed.

Did you find a solution?

thanks.

andy

Re: Strange behaviour after R80.20 upgrade

andy_currigan — Tue, 24 Sep 2019 12:33:46 GMT

forgot to mention that vpn in our case is not ended on our checkpoint so the sk you mention in our case can't be the solution

https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk148872

Re: Strange behaviour after R80.20 upgrade

Andrew — Tue, 01 Oct 2019 06:29:32 GMT

Hi Andy,

SK148872 resolved our issue.

Checkpoint support worked through our issue to get to the resolution.

Good luck.

topic Strange behaviour after R80.20 upgrade in Firewall and Security Management

Strange behaviour after R80.20 upgrade

Re: Strange behaviour after R80.20 upgrade

Re: Strange behaviour after R80.20 upgrade

Re: Strange behaviour after R80.20 upgrade

Re: Strange behaviour after R80.20 upgrade