topic Re: error Clear text packet should be encrypted in General Topics

error Clear text packet should be encrypted

bezeq_int — Fri, 08 Mar 2024 16:27:15 GMT

Yesterday we upgraded the mgmt from r80.40 to r81.20

and we have two firewalls still on r80.40

the site to site on the firewalls still up but the icmp/snmp traffic generated from same source ip addresses in the tunnel are being dropped with this error message:

@;3243628120;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 x.x.x.x:56134 -> y.y.y.y:161 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

@;3243632857;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:52 ->y.y.y.y:0 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

on the mgmt we edited this file: //opt/CPsuite-R81.20/fw1/lib/crypt.def last lines to:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

the problem is still occurring

how to fix this ?

please advice

thanks

Re: error Clear text packet should be encrypted

the_rock — Fri, 08 Mar 2024 16:40:31 GMT

Let me see if I can find some stuff about this, it might be known issue if gateways are still on R80.40

Andy

Re: error Clear text packet should be encrypted

the_rock — Fri, 08 Mar 2024 16:41:46 GMT

K, found it...MAKE SURE to backup the files first, of course

# cd $FWDIR/conf

# cp user.def.FW1 user.def.R8040CMP

Thats it. Then push the policy.

Andy

Re: error Clear text packet should be encrypted

bezeq_int — Fri, 08 Mar 2024 17:07:34 GMT

No sir, that also did not fix the issue

[Expert@CP-MGMT:0]# cd $FWDIR/conf
[Expert@CP-MGMT:0]# pwd
/opt/CPsuite-R81.20/fw1/conf
[Expert@CP-MGMT:0]# ll | grep user.def
...
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
...
-rw-r----- 1 admin bin 732 Nov 16 2022 user.def.R8040CMP
...
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# cp user.def.FW1 user.def.R8040CMP
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# ll | grep user.def.FW
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
[Expert@CP-MGMT:0]# ll | grep user.def.R
....
-rw-r----- 1 admin bin 882 Mar 8 18:56 user.def.R8040CMP

Re: error Clear text packet should be encrypted

the_rock — Fri, 08 Mar 2024 17:28:25 GMT

Did you install the policy?

Re: error Clear text packet should be encrypted

bezeq_int — Fri, 08 Mar 2024 17:35:46 GMT

sure i did 🙂

Re: error Clear text packet should be encrypted

the_rock — Fri, 08 Mar 2024 18:07:33 GMT

K, fair enough. If thats the case, I dont want to tell you to modify anything else with that file, as Im worried we may make it worse and no one wants that on the weekend lol

Anyway...maybe reverse all the changes and lets take a step back here. So, IF its saying clear packet should be encrypted, logically, that insinuates to me that something is missing in the enc. domain possibly...can you check?

Best,

Andy

Re: error Clear text packet should be encrypted

bezeq_int — Fri, 08 Mar 2024 18:39:45 GMT

thankyou

we'll check with TAC

Re: error Clear text packet should be encrypted

_Jelle — Mon, 18 Nov 2024 15:26:47 GMT

Hi bezeq_int,

So, it's a while ago but any chance you could still share the outcome of your TAC case? Would be great for me but also other people crawling these topics.

Re: error Clear text packet should be encrypted

KeonNg — Tue, 23 Dec 2025 03:10:15 GMT

Hi @bezeq_int

Seeking for your update as well the feedback from TAC. Thank you.

What I suspect from here is that whether you need to remove the line:

#define NON_VPN_TRAFFIC_RULES 0

since you have rules define:

#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)

But im not sure.

Re: error Clear text packet should be encrypted

Bob_Zimmerman — Tue, 23 Dec 2025 15:19:11 GMT

This message means the source is in a peer's encryption domain and the destination is in the local encryption domain. The firewall is saying it should have received this traffic over a VPN with that peer.

Think of it like antispoofing for VPNs.

"According to the policy, the packet should not have been decrypted" is similar, but the other way around: the local system decrypted the packet, but the source isn't in that peer's encryption domain or the destination isn't in the local encryption domain.

Re: error Clear text packet should be encrypted

the_rock — Tue, 23 Dec 2025 15:46:53 GMT

See if this explanation by @Bob_Zimmerman helps. I know maybe not exact same scenarion, but it is relevant.

https://community.checkpoint.com/t5/Security-Gateways/Unnumbered-VTI-to-3rd-party-gateway/m-p/137471#M29245

Re: error Clear text packet should be encrypted

the_rock — Fri, 02 Jan 2026 02:44:07 GMT

Hey mate,

Happy new year!

Any progress with this?