This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lukas_Nagy
Participant
‎2018-04-27 06:37 AM

ICMP is sometimes drop when send via IPSec Tunnel

Hello,

I've encountered issue when sending ICMP ping to between hosts when sending through Site-to-site IPSec tunnel. Pings works for 5 minutes and then it stop working for few minutes.

Here is the output of fw zdebug drop when pings stop working:

;[cpu_1];[fw4_0];fw_log_drop_conn: Packet <dir 1, x.x.x.x:1285 -> y.y.y.y:0 IPP 1>, dropped by do_outbound, Reason: encryption failed;

Other traffic like SSH, VMWare VDP backups works without any issue.

I couldn't find any Secure knowledge regarding this issue, any pointers for further analysis?

Thank you.

6 Replies
Ni_c
Contributor
‎2018-04-27 08:29 AM

What and all services are being allowed through the tunnel in the rule base. If any services are allowed that doesn't include ICMP generally, make sure you are allowing ICMP explicitly in the rule. welcome to correct me if I am wrong. 

0 Kudos
Lukas_Nagy
Participant
‎2018-04-30 06:57 AM
In response to Ni_c

Hello,

We allow ICMP explicitedly in rule base. We did some further debugging and found out that we see drop only in replies on echo-request. However these drops happens only when SecureXL is enabled (fwaccel on) and when we disabled SecureXL we haven't encountered any drops. I am suprised that this affected that, I though that ICMP traffic is always going via Firewall path? Correct me if I am wrong.

So when we have Client ---- > Check Point 750 -----> IPSec Tunnel -----> Check Point R80.10 vSec ----> Server

ICMP request gets on the server but the reply is dropped on Check Point R80.10 vSec (with SecureXL enabled)

Here are some command outputs:

[Expert@chpk01:0]# fwaccel stats -d
Reason                Value              Reason                Value
--------------------  ---------------    --------------------  ---------------
general reason                      0    PXL decision                        0
fragment error                      0    hl - spoof viol                     0
F2F not allowed                     0    hl - TCP viol                       0
corrupted packet                    0    hl - new conn                       0
clr pkt on vpn                      0    partial conn                        0
encrypt failed                     37    drop template                       0
decrypt failed                      0    outb - no conn                      2
interface down                      0    cluster error                       0
XMT error                           0    template quota                      0
anti spoofing                       0    Attack mitigation                   0
local spoofing                      0    sanity error                        0
monitored spoofed                   0    QXL decision                        0
[Expert@chpk01:0]#

And here are overall percentages of SecureXL usage (only Medium Path + Firewall path is used)

[Expert@chpk01:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/68 (0%)
Accelerated pkts/Total pkts   : 0/8188 (0%)
F2Fed pkts/Total pkts   : 1809/8188 (22%)
PXL pkts/Total pkts   : 6379/8188 (77%)
QXL pkts/Total pkts   : 0/8188 (0%)
[Expert@chpk01:0]#

0 Kudos
Ni_c
Contributor
‎2018-04-30 10:44 AM
In response to Lukas_Nagy

BTW, I never worked with site-site vpn's on checkpoint 700 appliance. But it is not true that ICMP traffic goes through the firewall path. refer this SecureXL and ICMP. and going back to the issue. please refer this Tunnel is up and ICMP packets are sent encrypted but no response received  looks close to the problem mentioned in here.  

Lukas_Nagy
Participant
‎2018-05-02 12:18 AM
In response to Ni_c

Thanks for interesting SK Ni c‌ this might be the cause of the issue - we will try it out during maintanence window together with Tim Halls advice.

Timothy_Hall
Legend Legend
Legend
‎2018-05-01 07:05 PM
In response to Lukas_Nagy

To further diagnose if the VPN acceleration by SecureXL is the issue, on the firewall execute sim vpn off; fwaccel off; fwaccel on.  Doing so will disable the VPN acceleration portion of SecureXL but leave the rest of SecureXL enabled, try retesting your ping issue after doing so.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Sander_Zumbrink
Contributor
‎2018-10-18 12:12 AM

Hello,

Did this resolve the issue? Or did you do something else?

We have the same issue, but don't have a resolution yet.

The ticket with support doesn't have a solution yet.

We've updated to the latest Jumbo Hotfix, but didn't help.

The command Timothy suggested with "sim vpn off; fwaccel off; fwaccel on" caused downtime on a lot of tunnels.

Kind Regards,

Sander Zumbrink

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events