Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KevinA
Participant

Drops on Remote Access VPN

Hi All,

 

So we have configured Remote access (IP Sec) and have a strange issue with random packet drops to internal network hosts.

172.16.10.2 is the office mode IP and 192.1.1.5 is the DNS server inside the network.

All the traffic is being forced through the gateway, so no split tunnel..

The client we are using is checkpoint mobile and no mobile access blade enabled.

My VPN domain is manually defined and only includes the 192.1.1.0/24 subnet.

I did come across this when running a debug:

[Expert@FP-CP-VM:0]# fw ctl zdebug + drop | grep 172.16.10.2
@;6537067;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=17 172.16.10.2:56289 -> 192.1.1.5:53 dropped by vpn_inbound_tagging_ex Reason: check_userc_tables returns -1;

 

What exactly does this mean - vpn_inbound_tagging_ex Reason: check_userc_tables returns -1;

 

Has any one else come across this issue?

I'm still learning my way around checkpoint, so please let me know if you need any additional outputs or information.

 

Cheers,

0 Kudos
5 Replies
Timothy_Hall
Champion
Champion

Does your gateway have more than one external interface or ISP?  If so you need to check "Support connectivity enhancement for gateways with multiple external interfaces" on the VPN Clients...Office Mode screen of your gateway object and reinstall policy.  

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
KevinA
Participant

Hi Timothoy, its already selected..

0 Kudos
HeikoAnkenbrand
Champion
Champion

Hi @KevinA,

Just an idea!

  1. Login to the Smart Dashboard.
  2. Click 'Gateways & Server > VPN Client > Office Mode' and search for "Office Mode Enable With Multiple Interfaces:"
  3. Select checkbox for "True".
    A1.JPG
  4. Run the below command in expert mode to clear the users check table:

    [Expert@GW]# fw tab -t userc_users -x -y

0 Kudos
KevinA
Participant

@Timothy_Hall/ @HeikoAnkenbrand,

Thank you both 🙂

the option was already selected.

running fw tab -t userc_users -x -y, got rid of that drop, however i see this message as well frequently?

Will you be able to point me in the right direction?

@;6684711;[cpu_0];[SIM-204585957];handle_vpn_encryption: ipsec_encrypt failed. Dropping packet... conn: <203.39.119.20,8443,172.16.10.2,59930,6>;
@;6684711;[cpu_0];[SIM-204585957];sim_pkt_send_drop_notification: (0,2) received drop, reason: Encryption Failed, conn: <203.39.119.20,8443,172.16.10.2,59930,6>;

0 Kudos
Timothy_Hall
Champion
Champion

Looks like the source IP of this traffic got NATted inappropriately to 203.x.x.x, or the VPN user is trying to hit a publicly-routable NAT address inside the VPN tunnel.  They need to use the internal, non-NAT address.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos