Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maria_Pologova
Collaborator

ESP packets are sourced from wrong interface

Hello all!

My problem is that the actual Phase 1 and 2 tunnel are going with the right cluster IP-address as source (1.1.1.1), VPN tunnel gets established. But the actual ESP packets get a source of the another physical interface (eth2.517 2.2.2.2), and traffic is not reaching Azure network from on-prem network.

I have TAC case created, which is already a third case, but we are not getting anywhere. So maybe anyone have any idea what could be wrong.

 

Setup:
Check Point on-prem:
eth1 - 1.1.1.1 - DMZ VPN IP in Link Selection (the IP that is supposed )
eth2.517 - 2.2.2.2 - External IP looking towards ISP Provider

Fortigate in Azure:
3.3.3.3 - Fortigate External IP

SXL for this VPN is off.
1.1.1.1. is also configured as outgoing source IP address.
Current route towards Fortigate in Azure points to the gateway of interface eth2.517 (2.2.2.3)
Tried to add a route via interface eth1, but it didn't make a difference.

 

tcpdump:
11:00:26.728559 IP 3.3.3.3.4500 > 1.1.1.1.4500: isakmp-nat-keep-alive
11:00:27.064264 IP 1.1.1.1.4500 > 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37
11:00:27.064266 IP 1.1.1.1.4500 > 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37
11:00:27.064267 IP 1.1.1.1.4500 > 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37
11:00:27.080591 IP 3.3.3.3.4500 > 1.1.1.1.4500: NONESP-encap: isakmp: phase 2/others ? #37[]
11:00:28.749675 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104
11:00:28.749677 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104
11:00:28.749677 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104
11:00:33.389009 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104
11:00:33.389011 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104
11:00:33.389011 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104
11:00:36.680128 IP 3.3.3.3.4500 > 1.1.1.1.4500: isakmp-nat-keep-alive
11:00:38.406597 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104
11:00:38.406598 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104
11:00:38.406599 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104
11:00:43.403640 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104
11:00:43.403641 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104
11:00:43.403642 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104
11:00:46.631720 IP 3.3.3.3.4500 > 1.1.1.1.4500: isakmp-nat-keep-alive
11:00:48.395170 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104
11:00:48.395171 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104
11:00:48.395172 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104

fw monitor:
[vs_0][fw_0] bond12.517:i9 (tcpt inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i10 (IP Options Strip (in))[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i11 (vpn multik forward in)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i12 (vpn decrypt)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i13 (l2tp inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i14 (Stateless verifications (in))[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i15 (fw multik misc proto forwarding)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i16 (vpn tagging inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i17 (vpn decrypt verify)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i18 (fw VM inbound )[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I19 (vpn policy inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I20 (fw SCV inbound)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I21 (vpn before offload)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I22 (fw offload inbound)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I23 (fw post VM inbound )[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I24 (fw accounting inbound)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I25 (RTM packet in)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I26 (passive streaming (in))[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I27 (TCP streaming (in))[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I28 (IP Options Restore (in))[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I29 (Cluster Late Correction)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I30 (Chain End)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=34433
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=19101
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=64551
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=52696
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=59551
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=16177
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=35105

0 Kudos
Reply
8 Replies
Chris_Atkinson
Employee
Employee

Which version/jumbo is the gateway?

sk165003 might be relevant here.

0 Kudos
Reply
Maria_Pologova
Collaborator

This brings me hope 🙂

We are on 80.20 Take 183 and I found those messages in vpnd.elg as well
[vpnd 16556 4093212576]@CP_GW[9 Dec 13:08:21][ikev2] ikeSimpOrder::getMyIpAddr: Not found, will use first external interface.

We'll wait for general take and upgrade, will update the thread after. Thanks, Chris!

 

 

Maarten_Sjouw
Champion
Champion

In link selection did you also configure the Source IP settings to manual and selected the same IP 1.1.1.1? 

Regards, Maarten
Maria_Pologova
Collaborator

Yes, I did.

0 Kudos
Reply
JozkoMrkvicka
Leader
Leader

is eth1 marked as External in Topology ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Reply
Maria_Pologova
Collaborator

No, it isn't. This interface is defined as is DMZ (Internal). Do you think this might influence such behavior? Interestingly enough, other ~30 VPN are working without problems.

JozkoMrkvicka
Leader
Leader

If something is working fine, shouldnt be the case. Only this one Fortigate has issue ? No other Fortigates ? Cannot it be something related to routing ? Or isnt affected fortigate part of some encryption domain ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Reply
Maria_Pologova
Collaborator

Just found that with ikev1 there is no such problem. So apparently sk165003  is relevant here indeed.

0 Kudos
Reply