Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Debon27
Explorer

IPSEC VPN Stuck in IKE_SA_INIT (IKEv2)

Hi, we are facing a weird issue with one of out gateways trying to connect to a third party device. The tunnel was working fine until it went down and now it is not even possible to establish phase1. I am seeing the following in the vpn.elg file:

[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 181.4.26.12 returned obj: 0x9ba1ad0
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] GetEntryCommunityHashX: received ipaddr: 12.26.4.181 as key, found community: S2S_3Party
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57] FindCommonCommunity: Found common community (IPv4 addr=12.26.4.181) (S2S_3Party) for GW_remote
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] --> CCplogUtils::FillVarArg
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str:
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str:
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str: IKEv2
[vpnd 6209 4092888992]@GW1[29 Jun 22:28:57][CPLOG] CCplogUtils::FillVarArg: str: Initial exchange: Exchange failed: timeout reached.

In tcpdump I can see that the IKE negotiation is stuck in IKE_SA_INIT phase, but I can see Initiator Request and Responder Response messages every time, but negotiation fails. Any idea about what could be happening? Thanks. 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Maybe fw ctl zdebug drop | grep x.y.z.w will tell you if the packet is actually getting dropped for some reason?

0 Kudos
Debon27
Explorer

Thank you, going to do that if the tunnel goes down again. It is UP now and working for some days for some reason.

0 Kudos
the_rock
Authority
Authority

Im pretty sure I know answer to this, but what is the 3rd party you are referring to?

Timothy_Hall
Champion
Champion

My thoughts exactly, the remote device is not a Cisco and is probably a Juniper/Fortinet/Sonicwall which will silently discard any  subnet/Proxy-IDs proposals it doesn't like.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
the_rock
Authority
Authority

I was more thinking one of the cloud providers actually.

0 Kudos
Debon27
Explorer

It looked more like an issue from Check Point side, because I was seeing incoming Responder Response packets from the cloud provider, and the Check Point was showing messages related to timeout and invalid incomming message. 

Anyway, the tunnel has been up since some days ago and I have opened a case to TAC. 

Thanks everyone for your help and messages.

0 Kudos
Debon27
Explorer

3rd party is a cloud provider and using an unknown device based on Linux.

0 Kudos