topic Re: Occasional failing Echo Reply in Firewall and Security Management

Occasional failing Echo Reply

Hugo_vd_Kooij — Tue, 23 Jan 2024 12:33:49 GMT

We have a customer which has a VPN from Portugal to the Netherlands. The Portugese site is a 1570 with R80.20 and the central site is a cluster with 6000 appliances running R81

Customer has a contact in Portugal who has started a contious ping and every now and then we loose a packet. In the logs I see Encrypt in Portugal and Decryp in the Netherlands. But every now and again in between these log entries there is a DROP on the echo-reply packet. with the additional information: ICMP reply does not match a previous request. This happens about 9 to 10 times per hour.

The ICMP virtual session timeout is set to 30 seconds under global properties. Which seems enough as the roundtrip over the VPN is just under 50 ms.

Customer also has a continous ping open to the router just in front of the firewalls in the Netherlands and that does not show any dropped packets.

Bsed on https://support.checkpoint.com/results/sk/sk66443 I would have to run a packet capture to see what happens.

Anyone any other suggestions?

Re: Occasional failing Echo Reply

Hugo_vd_Kooij — Tue, 23 Jan 2024 13:01:38 GMT

Packet capture on the central side was easy. I saw 2 instances where the logs shows a dropped reply packet and the central firewall shows a gap of 5 seconds where there is a normal echo request and echo reply every second. So I need to do this at both ends at the same time. to learn more.

Re: Occasional failing Echo Reply

the_rock — Tue, 23 Jan 2024 13:30:59 GMT

I dont like that "solution" from the sk at all. All that does is says uncheck "drop out of state", which is not even good workaround in my mind. I know it says as immediate workaround, but then obviously, who knows how much time it can take to find permenant fix. Here is how I always fixed this issue in the past...screenshots attached.

Best,

Andy

Re: Occasional failing Echo Reply

Hugo_vd_Kooij — Tue, 23 Jan 2024 13:32:38 GMT

Done fw monitor on the 1570 and packet wise there is nothing wrong with the reply but it fails to pass.

So this seems like bad behaviour of the appliance and I will create a TAC case for it. As I see other bad signs on the unit as well. (vmcore files of the last few days, .....

Re: Occasional failing Echo Reply

Hugo_vd_Kooij — Tue, 23 Jan 2024 14:20:46 GMT

Hmmm. Global properties means it will impact a few dozen other VPN's as well. Not even sure this is an issue with losing SA's in the first place. Let me fetch the vpn deg ikeon output. to see if it makes any sense.

Re: Occasional failing Echo Reply

the_rock — Tue, 23 Jan 2024 14:29:55 GMT

Thats right, its global setting.

Andy

Re: Occasional failing Echo Reply

Hugo_vd_Kooij — Tue, 23 Jan 2024 14:51:16 GMT

Looking at the ike log it does not appear to be a VPN issue.

At 14:22:05 there is an issu with the echo-reply packet being dropped. There is no chnage in the VPN between 14:03:06 and 14:38:09 so the cause of this particular issue is not VPN in itself.

However seeing 4 times a Phase 1 build up in less then an hour is not a sign of a healthy VPN.

Re: Occasional failing Echo Reply

the_rock — Tue, 23 Jan 2024 14:58:11 GMT

Thats fair assesment.

Andy