topic Re: VPN Troubles after installing R80.30 Take 228... in Firewall and Security Management

VPN Troubles after installing R80.30 Take 228...

Thomas_Eichelbu — Fri, 02 Apr 2021 09:24:44 GMT

Hello Check Pointers ...

Question:
We did some upgrades on R80.30 clusters from Take 196 to Take 228 and encountered an increase of VPN issues ...
They are hard to grasp in total, but we saw a big increase of outage warnings by our monitoring systems.

for example we saw this is /var/log/message -> but thousends and thousends of them!!!
[fw4_27];FW-1: cphwd_crypt_upd_link_selection_stat_cb: link selection update API failed
[fw4_6];FW-1: cphwd_crypt_upd_link_selection_stat_cb: link selection update API failed
[fw4_6];FW-1: cphwd_crypt_upd_link_selection_stat_cb: link selection update API failed

or

[fw4_13];cphwd_update_crypto_info_and_resume_chain: failed to get sxl_devvfw4_13];FW-1:

and this here.

[fw4_0];cphwd_update_crypto_info_and_resume_chain: corr info (sxl_dev_id:0) - app opaque (sxl_dev_id:32) mismatch
[fw4_0];cphwd_update_crypto_info_and_resume_chain: failed to get sxl_dev
there is an SK for this message -> sk160612

but does not help.

other issues are, Client VPN it sometimes just disconnects, many Stateful Inspection issues in VPN and just instability.
so very unprecise it total.

also i see this messages also on R80.40 Take 94.

and yes we use IPSec Link Selection with LS and ISP Redundancy with Internet and MPLS lines.

-> TAC cases are opened also ... lets see.

best regards

Re: VPN Troubles after installing R80.30 Take 228...

mk1 — Fri, 02 Apr 2021 14:23:52 GMT

Hello @Thomas_Eichelbu ,

We upgraded couple of HA clusters from R80.20 to R80.40 with the latest jumbo 94 and almost of all them which use ISP redundancy have VPN issues. For instance when we check "List all IPsec SAs for a given peer (GW) or user (Client)" with vpn tu for problematic peer we have the following:

IKE SA <968dda368fda4b4e,242e1e63727f3a1c>
(No IPSec SAs)

IKE SA <7d6c24dcd3e9697d,9a9edc436fae11df>
(No IPSec SAs)

IKE SA <d0fbeb6e8966e95d,6bcdc87e88e5c311>
(No IPSec SAs)

IKE SA <e0549c9dc402adc6,3e0eb30596d67909>
(No IPSec SAs)

IKE SA <0aa6e7b39c18bd61,a02b4a5168a19a4d>
(No IPSec SAs)

IKE SA <05943b6d1a73fe36,8d6613131c033a59>
(No IPSec SAs)

When we reset the tunnel everything comes back to normal and after some random period the problem starts again. The issue exists for the VPNs between gateways part of the same management, together with other Check Point devices which are part of another management. We tried to turn off fwaccel but the result was the same. Case is opened to TAC, but they need the results from "heavy VPN debug" which could overload the devices. Please give some updates if you have something useful from TAC.

Thank you!

Re: VPN Troubles after installing R80.30 Take 228...

Thomas_Eichelbu — Fri, 02 Apr 2021 14:37:21 GMT

Hello,

i have seen that too ... i updated a cluster from R80.30 to R80.40 Take 94 ...
Link Selection in HA and ISP Redundany were configured ...

all tunnel to the remote sites were off after installing both machines ...
the tunnel went on and off in a rapid manner ...
but client vpn worked and safed my day 🙂
a tunnel reset for all tunnels had helped ...
now all is stable ... perhaps a one time wonder ..
but the messages from /var/log/messages are still present.

-> TAC is already working on the log entries ... i keep you updated!