topic Problem with VPN & PPPoE: R81.20 - Build 039 in Firewall and Security Management

Problem with VPN & PPPoE: R81.20 - Build 039

Masek — Sat, 02 Nov 2024 17:36:49 GMT

Hi,

I replaced my Check Point SMB 1550 with a Quantum 3600 and I cannot get the tunnel to Harmony SASE working again.

As far as I can debug it, the packet get encrypted but never leave the firewall.

The VPN is up:

IKE:

Peer 209.35.231.46 , vpn-harmony-sase.ffm SAs:

IKEv2 SA 2cae2ad64b836a8f,93a026f7f36c90f7

IPsec:

Peer 209.35.231.46 , vpn-harmony-sase.ffm SAs:

IKEv2 SA 2cae2ad64b836a8f,93a026f7f36c90f7
INBOUND:
1. 0x2a45d4a5 (i: 2)
OUTBOUND:
1. 0xc5850354 (i: 2)

I see the packets coming in through "fw monitor"

[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=48460
ICMP: type=8 code=0 echo request id=14 seq=139
[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=48945
ICMP: type=8 code=0 echo request id=14 seq=140
[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=49316
ICMP: type=8 code=0 echo request id=14 seq=141

But the packets don't make it to the network: "fw ctl zdebug drop shows" me

@;6607.255;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=1 10.2.3.2:14 -> 10.0.1.10:0 dropped by vpn_before_offload Reason: failed to get OS route;
@;6608.256;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=1 10.2.3.2:14 -> 10.0.1.10:0 dropped by vpn_before_offload Reason: failed to get OS route;

This really weird, because the firewall itself can ping the system:

[Expert@fortress-new:0]# ping 10.0.1.10
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=64 time=1.02 ms

The destination network is a bridging interface (br0).

Yours, Martin

Re: Problem with VPN & PPPoE: R81.20 - Build 039

Chris_Atkinson — Sun, 03 Nov 2024 10:54:18 GMT

Which JHF (Jumbo) is installed on this system and could you please share a simple diagram of the topology?

Re: Problem with VPN & PPPoE: R81.20 - Build 039

Masek — Sun, 03 Nov 2024 10:58:12 GMT

Installed the latest recommended JHF (89?)
Had to roll back and disconnect the system

Re: Problem with VPN & PPPoE: R81.20 - Build 039

Masek — Sun, 03 Nov 2024 17:28:27 GMT

It was Take 89. I am rebuilding the system and try it without a bridging interface

Re: Problem with VPN & PPPoE: R81.20 - Build 039

carlos_luz — Mon, 06 Jan 2025 13:41:41 GMT

Is there one update about this test @Masek , i had the same problem in my LAB enverioment.

Re: Problem with VPN & PPPoE: R81.20 - Build 039

Masek — Mon, 06 Jan 2025 18:32:32 GMT

Use migrate_server for backup/restore at the moment...

Re: Problem with VPN & PPPoE: R81.20 - Build 039

carlos_luz — Mon, 06 Jan 2025 18:45:43 GMT

I had the same problem and after changed the Bridge to Physhical interface the problem stop...

But i had this in one LAB enverioment, but i think there is necessary open one Case.

Re: Problem with VPN & PPPoE: R81.20 - Build 039

Nigel_Todd — Tue, 25 Feb 2025 11:31:05 GMT

Did you find a solution to the problem?

Thanks

Nigel