topic Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2) in General Topics

IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Debon27 — Tue, 29 Jun 2021 21:12:18 GMT

Hi, we are facing a weird issue with one of out gateways trying to connect to a third party device. The tunnel was working fine until it went down and now it is not even possible to establish phase1. I am seeing the following in the vpn.elg file:

[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 181.4.26.12 returned obj: 0x9ba1ad0
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] GetEntryCommunityHashX: received ipaddr: 12.26.4.181 as key, found community: S2S_3Party
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] FindCommonCommunity: Found common community (IPv4 addr=12.26.4.181) (S2S_3Party) for GW_remote
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] --> CCplogUtils::FillVarArg
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str:
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str:
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str: IKEv2
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str: Initial exchange: Exchange failed: timeout reached.

In tcpdump I can see that the IKE negotiation is stuck in IKE_SA_INIT phase, but I can see Initiator Request and Responder Response messages every time, but negotiation fails. Any idea about what could be happening? Thanks.

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

PhoneBoy — Thu, 01 Jul 2021 21:58:36 GMT

Maybe fw ctl zdebug drop | grep x.y.z.w will tell you if the packet is actually getting dropped for some reason?

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

the_rock — Fri, 02 Jul 2021 02:26:02 GMT

Im pretty sure I know answer to this, but what is the 3rd party you are referring to?

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Timothy_Hall — Fri, 02 Jul 2021 13:33:38 GMT

My thoughts exactly, the remote device is not a Cisco and is probably a Juniper/Fortinet/Sonicwall which will silently discard any subnet/Proxy-IDs proposals it doesn't like.

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

the_rock — Fri, 02 Jul 2021 14:01:37 GMT

I was more thinking one of the cloud providers actually.

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Debon27 — Tue, 06 Jul 2021 08:38:05 GMT

Thank you, going to do that if the tunnel goes down again. It is UP now and working for some days for some reason.

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Debon27 — Tue, 06 Jul 2021 08:52:58 GMT

3rd party is a cloud provider and using an unknown device based on Linux.

Re: IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Debon27 — Tue, 06 Jul 2021 08:58:47 GMT

It looked more like an issue from Check Point side, because I was seeing incoming Responder Response packets from the cloud provider, and the Check Point was showing messages related to timeout and invalid incomming message.

Anyway, the tunnel has been up since some days ago and I have opened a case to TAC.

Thanks everyone for your help and messages.