topic Re: VPN site to site fwconn_key_init_links (OUTBOUND) failed in Spark Firewall (SMB)

VPN site to site fwconn_key_init_links (OUTBOUND) failed

rozkie20 — Wed, 12 Nov 2025 10:12:08 GMT

Hello everyone,

We are currently migrating a Site-to-Site VPN between two Check Point 1555 gateways from locally managed mode to centrally managed mode via SmartConsole (SMS).

Site details:

Branch Gateway (CP-1555)

Public IP: 192.168.168.201 (connected to SMS via public IP)
Encryption Domain: 10.17.36.0/24

Head Office Gateway (CP-1555)

Public IP: 192.168.168.156
Interface connected to SMS: 10.17.30.6
Encryption Domain: 10.17.31.0/24, 10.17.34.0/24, 10.17.38.0/24, 10.17.4.0/24, ...

After configuring the VPN Community and Encryption Domains, we are unable to establish the VPN tunnel. The following log appears in fw ctl zdebug drop:

@;510065576;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 192.168.168.156:500 -> 192.168.168.201:500 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

In SmartView Monitor, the VPN tunnel mostly shows as Down, though occasionally it briefly appears as Up.

We noticed that the Branch Gateway is attempting to connect to the Head Office gateway via the private interface (10.17.30.6) instead of the public IP (192.168.168.156).

Since this is a migration, I suspect there might be a conflict between the previous locally managed VPN configuration and the new centrally managed setup. I have collected advanced VPN debug logs, but I am not sure how to interpret them.

Has anyone faced a similar issue or can share experience with analyzing these debug logs?
Any guidance would be greatly appreciated.

BR,

Tin Tran

Re: VPN site to site fwconn_key_init_links (OUTBOUND) failed

AkosBakos — Wed, 12 Nov 2025 10:39:40 GMT

Hi,

Have you check this sk?

https://support.checkpoint.com/results/sk/sk106682

Because of the local > central migration, the Global Properties differ. But before you change anything in the Global Properties, consider the impact of the change.

Akos

Re: VPN site to site fwconn_key_init_links (OUTBOUND) failed

rozkie20 — Wed, 12 Nov 2025 11:21:37 GMT

Hi Akos,

This feature already enable on R82

Re: VPN site to site fwconn_key_init_links (OUTBOUND) failed

the_rock — Wed, 12 Nov 2025 17:59:50 GMT

Hey there,

Are you able to check if it fails on phase 1 or 2? Because on phase 1, it would be more related to most likely enc settings/PSK, but if its phase 2, then usually its something with VPN enc. domains. Just run vpn tu and check there or one of below:

vpn tu list ike
vpn tu list ipsec
vpn tu list peer_ike ip-addr
vpn tu list peer_ipsec ip-addr
vpn tu list tunnels
vpn tu tlist
vpn tu mstats
vpn tu del ipsec all
vpn tu del ipsec ip-addr
vpn tu del ipsec ip-addr username
vpn tu del ipsec ip-addr from ip-addr to ip-addr
vpn tu del all
vpn tu del ip-addr
vpn tu del ip-addr username
vpn tu del ip-addr from ip-addr to ip-addr
vpn tu conn

Re: VPN site to site fwconn_key_init_links (OUTBOUND) failed

rozkie20 — Wed, 19 Nov 2025 07:37:16 GMT

Opened case with TAC. Because we use one Public IP for management and VPN so it conflict when remote gateway try to negotia VPN with SMS so we have try to use another Public IP so this issue was fixed