topic Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP) in Firewall and Security Management

Protocol violation detected with protocol:(IKE Nat traversal - UDP)

TAEKBOM_Kim — Thu, 06 Feb 2020 07:41:36 GMT

Hello

We are seeing this issue. and We have a problem with VPN communication.

Do you have any idea about that?

1. SG5100: R80.10 (Take 249)

2. Topology: 3rd party VPN <--- SG5100 (bridge mode) ---> 3rd party VPN

SG5100 is not set to VPN. It's just a bridge mode firewall.

3. Policy

4. Logs

Firewall - Protocol violation detected with protocol:(IKE Nat traversal - UDP), matched protocol sig_id:(10), violation sig_id:(20). (500)

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

Wolfgang — Thu, 06 Feb 2020 07:51:14 GMT

Kim,

first of all. Very interesting policy "any => any, allow" Hope this will be only for testing.

It looks like your VPN partners are not doing correctly the specifications for IKE_NAT-traversal.

You can try to create a new service-object with no protocol definition like this:

and use this service object in your rulebase.

Wolfgang

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

TAEKBOM_Kim — Thu, 06 Feb 2020 08:02:04 GMT

Wolfgang,
Yes, it's only for testing. "any=>any,allow"

I created a new service-object with no protocol definition.
but the result was the same.

Firewall - Protocol violation detected with protocol:(IKE Nat traversal - UDP), matched protocol sig_id:(10), violation sig_id:(20). (500)

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

G_W_Albrecht — Thu, 06 Feb 2020 09:01:42 GMT

Yeah, you get an alert - but what is your issue when i see action accept in log ?

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

TAEKBOM_Kim — Fri, 07 Feb 2020 08:25:43 GMT

G_W_Albrecht.

We have a problem with vpn communication between 3rd party devices.
The vpn service is no problem when removing checkpoint devices.

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

Cyber_Serge — Wed, 29 Jul 2020 19:05:08 GMT

I'm seeing similar log for Protocol violation, but it's for (DNS-UDP). Even though the log will say "Allow" for action, it actually cause problem.

Not sure if the packet is drop but the DNS did not resolve. Basically if I do a nslookup from client machine, I'll see a log of Protocol violation coming from internal DNS, and on client machine the nslookup will not resolve the url and just time out.

This doesn't always happen though. It happen from time to time so it's hard to replicate the issue with support on the phone. Just curious what cause it to think there's Protocol violation?

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

Cyber_Serge — Wed, 29 Jul 2020 19:30:19 GMT

The temporary workaround we did was a Global Exception rule from the Inspection Settings for said traffic, while waiting on support to figure out what cause it to think there's protocol violation

Re: Protocol violation detected with protocol:(IKE Nat traversal - UDP)

Hitesh_Brahmbha — Fri, 08 Jan 2021 05:43:52 GMT

Every Next Generation firewall maintains protocol signature to validate the authenticity of the protocol/service.
If any traffic does not match with the defined service/protocol signature standard, it will alert you with the protocol violation error message.
In Check Point, Application and URL filtering blade must be in enabled state on the gateway for the protocol signature validation.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. This option is used to limit the port to the specified protocol.

Regards,
Hitesh Brahmbhatt