This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Debon27
Explorer
‎2021-06-29 02:10 PM

IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Hi, we are facing a weird issue with one of out gateways trying to connect to a third party device. The tunnel was working fine until it went down and now it is not even possible to establish phase1. I am seeing the following in the vpn.elg file:

[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 181.4.26.12 returned obj: 0x9ba1ad0
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] GetEntryCommunityHashX: received ipaddr: 12.26.4.181 as key, found community: S2S_3Party
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] FindCommonCommunity: Found common community (IPv4 addr=12.26.4.181) (S2S_3Party) for GW_remote
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] --> CCplogUtils::FillVarArg
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str:
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str:
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str: IKEv2
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str: Initial exchange: Exchange failed: timeout reached.

In tcpdump I can see that the IKE negotiation is stuck in IKE_SA_INIT phase, but I can see Initiator Request and Responder Response messages every time, but negotiation fails. Any idea about what could be happening? Thanks. 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-07-01 02:58 PM

Maybe fw ctl zdebug drop | grep x.y.z.w will tell you if the packet is actually getting dropped for some reason?

0 Kudos
Debon27
Explorer
‎2021-07-06 01:38 AM
In response to PhoneBoy

Thank you, going to do that if the tunnel goes down again. It is UP now and working for some days for some reason.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-07-01 07:26 PM

Im pretty sure I know answer to this, but what is the 3rd party you are referring to?

Best,
Andy
Timothy_Hall
MVP Gold
MVP Gold
‎2021-07-02 06:33 AM
In response to the_rock

My thoughts exactly, the remote device is not a Cisco and is probably a Juniper/Fortinet/Sonicwall which will silently discard any  subnet/Proxy-IDs proposals it doesn't like.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2021-07-02 07:01 AM
In response to Timothy_Hall

I was more thinking one of the cloud providers actually.

Best,
Andy
0 Kudos
Debon27
Explorer
‎2021-07-06 01:58 AM
In response to the_rock

It looked more like an issue from Check Point side, because I was seeing incoming Responder Response packets from the cloud provider, and the Check Point was showing messages related to timeout and invalid incomming message. 

Anyway, the tunnel has been up since some days ago and I have opened a case to TAC. 

Thanks everyone for your help and messages.

0 Kudos
Debon27
Explorer
‎2021-07-06 01:52 AM
In response to the_rock

3rd party is a cloud provider and using an unknown device based on Linux.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events