topic VPN traffic getting blocked in Spark Firewall (SMB)

VPN traffic getting blocked

faheb1 — Fri, 19 Aug 2022 06:05:22 GMT

HI
Im getting this problem,

Source: Print Server(172.20.15.52)

Dest: Printer(192.168.15.210)

Src and Dst are under a Site to site VPN.

I have checked the logs. I have attached the logs. What might be the issue ?

there are other log which seeems to be allowed check 4.log image

Firewall: Checkpoint SMB Appliance 910

Firemware: R77.30

Re: VPN traffic getting blocked

Piet_vd_Maas — Fri, 19 Aug 2022 07:12:55 GMT

2.logs.png shows an IKE failure.

Is other traffic working trough that VPN tunnel?

Re: VPN traffic getting blocked

faheb1 — Fri, 19 Aug 2022 07:21:10 GMT

I have seen one log that icmp/ping is working. but cant find the log now.

Besides, Log4 image shows that some traffic is flowing. however, majority is getting block for that destination. What should i check ? recently the PeerGateway ip was changed. after that we are having this problem. My client tried traceroute from his ip

Source: 172.20.15.76

Fw LAN : 192.168.50.54 (Form Core Switch)

C:\Users\scanpp>tracert 192.168.15.210

Tracing route to 192.168.15.210 over a maximum of 30 hops

1 1 ms 2 ms 1 ms 172.20.15.1
2 <1 ms * * 172.20.15.2 (Core Switch)
3 <1 ms <1 ms <1 ms 192.168.50.54 --- FW
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12

Re: VPN traffic getting blocked

faheb1 — Fri, 19 Aug 2022 07:22:08 GMT

[Expert@ScanConnectFW02]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

Enter IP of peer (format: xxx.xxx.xxx.xxx): A.A.A.A

Peer A.A.A.A SAs:

1. SPI's related to IKE SA <20012e163a402797,684343b0201ad46e>:

2. SPI's related to IKE SA <24e22e54dfdc23ea,74aa4a4a736e535f>:

3. SPI's related to IKE SA <d27a77ee1af9ceda,73239d6b0a6514c3>:

4. SPI's related to IKE SA <72b61a621efe15d6,26f908e01a73194f>:

Hit <Enter> key to continue ...

Re: VPN traffic getting blocked

AndréTinoco — Fri, 19 Aug 2022 08:08:56 GMT

Phase2 doesn't seem to be completed. Can you check logs between the two public addresses (of the vpn peers) to see the VPN negotiation?

Confirm the P2 configuration on both sides and confirm the networks are also the same on both sides. Also confirm you have security rules on your side for that traffic.

Re: VPN traffic getting blocked

Piet_vd_Maas — Mon, 22 Aug 2022 07:18:57 GMT

Is your issue solved?

Re: VPN traffic getting blocked

faheb1 — Mon, 22 Aug 2022 12:28:56 GMT

I have used Ikeview and found that Phase-1(P1 Main mode) ok but Phase2 QM Packet-1 has errors. I have asked the remote Gateway admin to share the config. Need to cross check if there are any changes in their side config.

Can someone tell me Why Egress traffic are failing but Ingress traffic is getting in ??

Re: VPN traffic getting blocked

the_rock — Mon, 22 Aug 2022 16:56:21 GMT

Phase 2 is in my experience always an issue with vpn domains not being presented properly or supernatting. Make sure that remote gateway interoperable object is set with right encryption domain.

Re: VPN traffic getting blocked

Piet_vd_Maas — Mon, 22 Aug 2022 17:48:47 GMT

Sounds like a routing issue indeed. @faheb1 you also mentioned the issues started after a IP change of the peer gateway.

Re: VPN traffic getting blocked

faheb1 — Tue, 23 Aug 2022 07:40:21 GMT

Checked the routing. Found a problem . It seems like a typo. I have fixed it. Need to check it tomorrow by client. VPN shows up. I will let you know the result.