cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

VPN traffic accepted instead of being encrypted

Good Day Everyone!

We have a checkpoint gateway running R77, which has a VPN with a Cisco ASA, everything was fine until we started having latency issues.

After troubleshooting, we saw the SOME of traffic/connections which were supposed to "encrypt" was being "accept",  .i.e. being accepted and getting dropped when it reaches the ISP because of private destination IP(which is part of the remote peer encryption domain).

Taking a look at the historic logs showed us that this "accept" behaviour is seen from a long time and hasn't caused any issues until today.

Taking a look at the rule, we saw that the VPN column was set to "Any Traffic" and not to the specific VPN community.

We are thinking of adding the specific community to the VPN column to fix this(not 100% sure if this is going to work).

Could there be any other reason why this could be happening ?

3 Replies
Vladimir
Pearl

Re: VPN traffic accepted instead of being encrypted

Please check the "excluded services in VPN community" to see if those are present there.

Additionally, "Any" in VPN column is literally, "any, clear or encrypted".

So if your peer fail to include same networks in their encryption domain as you have defined in yours, your traffic will be sent out in clear text.

Matching specific community is a better option, IMHO.

Re: VPN traffic accepted instead of being encrypted

Thank you for your response. we would definitely change the config and add soecific vpn community.

What i don’t understand is why certain times the same traffic is being accepted and the other times being encrypted.

accepted action means that the traffic doesnt go through the vpn and hence triggers a re-transmit and the performance issue begins.

0 Kudos
Vladimir
Pearl

Re: VPN traffic accepted instead of being encrypted

If this is a VPN with non-checkpoint device, the difference in how often the key exchange is happening perhaps could be a culprit.

For instance, one of the vendors supports renegotiation based on volume limit in addition to the lifetime.

the lifetimes may be out of whack and renegotiation is dependent on traffic initiated by remote VPN peer.

In this instance, once the session times out, you will be sending traffic in clear.