topic Re: Protocol 50 (ESP) traversing GW do not reach destination in Firewall and Security Management

Protocol 50 (ESP) traversing GW do not reach destination

abihsot__ — Wed, 13 Jan 2021 11:00:00 GMT

Hello,

R80.40 latest JHF

I have an issue where CP gateway is in the middle between nodes establishing site to site vpn tunnel. Access is opened as per requirements, but some tunnels go down and up sporadically. I was able to narrow down to strange traffic for ESP. Comparing working/not working tunnel I find the following difference

working:

vs_0][ppak_0] x:id[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:iD[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:i[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:I[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:o[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:O[44]: site1 -> site2_IP1 (50) len=204 id=44641

not working:

[vs_0][ppak_0] x:id[44]: site1 -> site2_IP2 (50) len=172 id=22516

[vs_0][ppak_0] x:iD[44]: site1-> site2_IP2 (50) len=172 id=22516

[vs_0][ppak_0] x:i[44]: site1-> site2_IP2 (50) len=172 id=22516

fw ctl zdebug + drop |grep "site1" doesn't reveal anything.

any ideas, besides TAC, which is already involved.

Re: Protocol 50 (ESP) traversing GW do not reach destination

PhoneBoy — Wed, 13 Jan 2021 22:07:56 GMT

Does the gateway in question even have VPN enabled?
If so, does it need to?

Re: Protocol 50 (ESP) traversing GW do not reach destination

abihsot__ — Thu, 14 Jan 2021 07:16:15 GMT

Yes, gateway does have VPN blade enabled and it is required.

enabled_blades
fw vpn ips identityServer mon

I found sk167973, but this is not exactly our case. We do not NAT this traffic and we are running higher JHF than mentioned in SK.

Re: Protocol 50 (ESP) traversing GW do not reach destination

abihsot__ — Wed, 20 Jan 2021 16:19:42 GMT

Any idea how to check why traffic is not passing from small "i" to big "I"?

Re: Protocol 50 (ESP) traversing GW do not reach destination

John_Fleming — Wed, 20 Jan 2021 16:34:07 GMT

The debug in that SK doesn't seem to show a drop message. Have you tried that debug vs just doing a drop? I would also send output to a file then grep that file or turn on line buffering in grep just to be safe.

Bandaid warning: Just throwing this out there. If you can get them to switch to NAT-T mode on the vpn tunnel you might be able to work around.