topic Re: Cannot Establisth VPN between 1555 and 1575 in Spark Firewall (SMB)

Cannot Establisth VPN between 1555 and 1575

sx8n20394 — Sat, 02 Aug 2025 21:59:58 GMT

We have two new 1555 and 1575 Quantum Spark gateways. Both are the latest version R81.10.17. When we setup a VPN tunnel the 1575 create a tunnel and can ping the LAN interface on the 1555. The 1555 creates the tunnel ( VPN TU shows there are tunnels) but we cannot ping the interface on the 1575. When we first set it up, it worked perfectly. It eventually went down in the middle of the night and we cannot get it back up no matter what. We contacted support and they were clueless and told me I have to wait until Sunday night (this is a critical matter, company relies on this tunnel to be up 24/7). I deleted the tunnels, re-recreated, cleared SAs in VPU TU, rebooted both firewalls, nothing works. The company I installed these for isn't very pleased. They are telling me they want to go back to their 10+ year old Barracuda's and want their money back because I can't get a simple site to site VPN setup. BTW I manage 50+ Quantum spark and it seems like VPN tunnels get worse and worse through the years. I still have 700 series tunnels that haven't dropped in 8 years, but these new 1500s can't hold a tunnel for a couple hours.

Also, btw, all of the traffic selectors are fine. I am just doing what I always do and let the checkpoint handle the local encryption domains automatically.

Also both are locally managed.

Here are the errors I am getting,

Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <redacted> <255.255.255.254> <224.0.0.0 - 224.0.0.255> MyTSr: <redacted> <192.168.90.0 - 192.168.90.255> <224.0.0.0 - 224.0.0.255> Peer TSi: <192.168.90.0 - 192.168.90.255>

Child SA exchange: Exchange failed: timeout reached.

IKE failure: Informational exchange: Sending notification to peer: Invalid IKE SPI IKE SPIs: 9eabb7e44f833352:50570df6387b0035

dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted;

Re: Cannot Establisth VPN between 1555 and 1575

Chris_Atkinson — Sun, 03 Aug 2025 06:38:28 GMT

Which specific build of R81.10.17 is used?

Are you trying to do multicast traffic across the VPN (e.g. OSPF over VTI) or have you just chosen that line at random?

Are either of the gateways DAIP, what else can you tell us about the setup?

Re: Cannot Establisth VPN between 1555 and 1575

Alex- — Sun, 03 Aug 2025 15:25:27 GMT

FWIW, I've much less experience with Spark than GAIA when I compare it to yours, but I always use manually defined domains rather than "match topology" as I tend to find them more reliable. Also, if you use certificates and exchanged CA, ensure CRL check is off or it is reachable. There are other considerations depending of your setup.

Re: Cannot Establisth VPN between 1555 and 1575

the_rock — Sun, 03 Aug 2025 15:40:09 GMT

I would do exactly what @Alex- suggested, makes total sense to me.

Andy

Re: Cannot Establisth VPN between 1555 and 1575

sx8n20394 — Mon, 04 Aug 2025 15:30:49 GMT

I factory reset the device and everything is fine now. I'm lucky this wasn't one of my devices out of state or else I'd be hopping on a plane to reset a firewall.

Re: Cannot Establisth VPN between 1555 and 1575

the_rock — Mon, 04 Aug 2025 15:46:11 GMT

Great job!