cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.10 Gateways drops traffic after policy Install

Having issues with R80.10 gateways, which are dropping traffic after a policy install. Re-installing the policy again brings everything back to normal. Issue specific to R80.10 gateways, have R77.30's which are working fine. Appreciate any inputs in troubleshooting this further.

Thanks

6 Replies
Danny
Pearl

Re: R80.10 Gateways drops traffic after policy Install

Which R80.10 Jumbo Hotfix do you have installed?

What is the output of: fw ctl zdebug drop | grep <IP of dropped traffic>

What is the output of: fw monitor

Did you use any of the troubleshooting commands our ccc script provides?

0 Kudos

Re: R80.10 Gateways drops traffic after policy Install

 Please check your connection persistence settings of the gateway were you are installing the policy.

Let me know what have you selected from below :
1: keep all the connections
2: keep data connections
3: Rematch all the connections

If Rematch all the connections is enabled, Then select keep all the connections. 

and check if are facing any issues. 

If it does not work, follow the above procedure given to isolating the issue.

0 Kudos

Re: R80.10 Gateways drops traffic after policy Install

We have just upgraded our R77.30 gateways to R80.10 and now whenever we install a policy our AWS and Amazon VPN’s go down and will only come back up if we use ‘vpn tu’ option 7.

any idea why as this has become a big issue as we have 20+ VPN’s running on the gateway in question,

0 Kudos

Re: R80.10 Gateways drops traffic after policy Install

By default all IKE Phase 1 tunnels are invalidated every time policy is installed which can sometimes cause this behavior, try checking keep_IKE_SAs in the SmartConsole under Global Properties...Advanced...Configure...VPN Advanced Properties...VPN IKE Properties".

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: R80.10 Gateways drops traffic after policy Install

I have seen NAT-T cause issues similar to this, might want to try disabling and test your policy push. 

0 Kudos

Re: R80.10 Gateways drops traffic after policy Install

Thank you all that replied. We did enable keep_IKE_SAs but this didn't fully fix the issue. In the end we had to get the remote peer vpn's reset. This appears to have resolved the issues we had following the upgrade.

0 Kudos