https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9717#M548 <HTML><HEAD></HEAD><BODY><P>Hi Checkmates,</P><P></P><P>We are working on a migration project and we are facing a strange issue.</P><P>The architecture is quite simple :</P><P>- Cluster of 5800 appliances, R80.10 + jumbo 154</P><P>- Management is a R80.10 VM.</P><P></P><P>Everything seems fine except VPN. Only 4 VPN amongs 7 are working. Not always the same, but never more than 4.</P><P>For the failed VPNs, we've discovered that outgoing IKE packet are dropped by the active member :</P><P></P><P>;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 a.a.a.a:500 -&gt; b.b.b.b:500 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;</P><P></P><P>a.a.a.a : cluster IP</P><P>b.b.b.b : peer IP</P><P></P><P>We have contacted the TAC and they've collected multiples captures. For now, nobody seems to be able to explain why the gateway drops its own IKE packets.</P><P></P><P>According to TAC, sk124732 doesn't applied.</P><P></P><P>If anyone knows what "fwconn_key_init_links (OUTBOUND) failed" could means ...</P><P></P><P>Thanks for your help !</P></BODY></HTML> Tue, 27 Nov 2018 21:42:45 GMT Benoit_Verove 2018-11-27T21:42:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9717#M548 <HTML><HEAD></HEAD><BODY><P>Hi Checkmates,</P><P></P><P>We are working on a migration project and we are facing a strange issue.</P><P>The architecture is quite simple :</P><P>- Cluster of 5800 appliances, R80.10 + jumbo 154</P><P>- Management is a R80.10 VM.</P><P></P><P>Everything seems fine except VPN. Only 4 VPN amongs 7 are working. Not always the same, but never more than 4.</P><P>For the failed VPNs, we've discovered that outgoing IKE packet are dropped by the active member :</P><P></P><P>;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 a.a.a.a:500 -&gt; b.b.b.b:500 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;</P><P></P><P>a.a.a.a : cluster IP</P><P>b.b.b.b : peer IP</P><P></P><P>We have contacted the TAC and they've collected multiples captures. For now, nobody seems to be able to explain why the gateway drops its own IKE packets.</P><P></P><P>According to TAC, sk124732 doesn't applied.</P><P></P><P>If anyone knows what "fwconn_key_init_links (OUTBOUND) failed" could means ...</P><P></P><P>Thanks for your help !</P></BODY></HTML> Tue, 27 Nov 2018 21:42:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9717#M548 Benoit_Verove 2018-11-27T21:42:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9718#M549 <HTML><HEAD></HEAD><BODY><P>The error message seems to be NAT related, specifically when the attempt to NAT fails for one reason or another.</P><P>It comes up here (among other places):&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk124732" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk124732">Traffic is not NATed correctly</A>&nbsp;</P></BODY></HTML> Wed, 28 Nov 2018 04:49:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9718#M549 PhoneBoy 2018-11-28T04:49:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9719#M550 <HTML><HEAD></HEAD><BODY><P>Hi Dameon,</P><P></P><P>Thanks for the hint. Indeed something seems to go wrong with NAT. I will also check if the <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk41916&amp;partition=Advanced&amp;product=Security">sk41916</A> might applied</P><P></P><P>Regards,</P><P></P><P>Benoit</P></BODY></HTML> Wed, 28 Nov 2018 08:28:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9719#M550 Benoit_Verove 2018-11-28T08:28:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9720#M551 <HTML><HEAD></HEAD><BODY><P>Also make sure it is not the backup firewall sending out packets through the primary.</P><P>This is something we see a lof if people start to monitor both firewalls with SNMP over the VPN connection.</P></BODY></HTML> Wed, 28 Nov 2018 09:00:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9720#M551 Hugo_vd_Kooij 2018-11-28T09:00:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9721#M552 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We finaly solved our issue. It was a simple NAT rules that was conflicting with IKE trafic.... Rebuilding a narrowed NAT rule, and all the VPN came up !</P><P></P><P>Regards,</P><P></P><P>Benoit</P></BODY></HTML> Tue, 11 Dec 2018 14:26:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/9721#M552 Benoit_Verove 2018-12-11T14:26:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/214995#M41073 <P>Hi,</P><P>How did you resolved? My customer is using a openserver cluster with R80.40 take 161 and we have an issue related to VPN Site-to-site. The tunnel is established but during the day, some times the tunnel is disconnected and come up later. We´ve tried some configurations to avoid it but the tunnel still come down few times on the day.</P> Wed, 22 May 2024 12:40:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-fwconn-key-init-links-OUTBOUND-failed/m-p/214995#M41073 jslima 2024-05-22T12:40:41Z