topic Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41 in Firewall and Security Management

Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Anandsekar — Mon, 08 Jul 2024 19:15:59 GMT

Ipsec tunnel down phase 2 after upgrading to r81.20 take 41 and ipsec tunnel is unstable

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Lesley — Mon, 08 Jul 2024 21:06:26 GMT

More info?

- what verion you came from

- what you see in logs

- cp to cp or cp to vendor

- both sides unstable

- global encryption domain or per community

etc

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Anandsekar — Tue, 09 Jul 2024 12:34:12 GMT

- what verion you came from -- R81.10 JHF Take 79 to R81.20 Take 41

- what you see in logs -

- cp to cp or cp to vendor -- Checkpoint to checkpoint LSM security gateways.

- both sides unstable - yes

- global encryption domain or per community - on all tunnel in the community

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Anandsekar — Tue, 09 Jul 2024 17:07:11 GMT

- what verion you came from : - R81.10 Take 79 to R81.20 Take 41

- what you see in logs : -

- cp to cp or cp to vendor : CP to CP those are LSM security gateways management by smart provisioning

- both sides unstable : yes

- global encryption domain or per community : -

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Lesley — Tue, 09 Jul 2024 20:20:17 GMT

Hmmm unclear error. Maybe VPN debug could give more info.

https://support.checkpoint.com/results/sk/sk180488

In the mean time maybe you can check the basics. This will be as I assume certificate based tunnel.

So maybe check if the CRL check is working:

https://support.checkpoint.com/results/sk/sk108632

https://support.checkpoint.com/results/sk/sk32648

Also check if the VPN certificates are still valid:

https://support.checkpoint.com/results/sk/sk178304

This is not a Gaia embedded gateway right?

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

JP_Rex — Wed, 10 Jul 2024 10:02:12 GMT

Hello,
what LSM Gateways do you use and what Version are they running on?

Is there a Log Entry from an LSM GW?

Regards

Peter

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Anandsekar — Wed, 10 Jul 2024 13:00:34 GMT

what LSM Gateways do you use and what Version are they running on? : 1100 & 1430 Appliance and which are running on R77.20.87 (990173004).

Is there a Log Entry from an LSM GW? :No

Re: Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

the_rock — Wed, 10 Jul 2024 13:47:43 GMT

Ike failure usually means phase 1 is down, not phase 2. Can you run vpn tu and check what it shows when you filter for that specific tunnel?

Or try below options.

Andy

vpn tu list ike
vpn tu list ipsec
vpn tu list peer_ike ip-addr
vpn tu list peer_ipsec ip-addr
vpn tu list tunnels
vpn tu tlist
vpn tu mstats
vpn tu del ipsec all
vpn tu del ipsec ip-addr
vpn tu del ipsec ip-addr username
vpn tu del ipsec ip-addr from ip-addr to ip-addr
vpn tu del all
vpn tu del ip-addr
vpn tu del ip-addr username
vpn tu del ip-addr from ip-addr to ip-addr
vpn tu conn