Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MaheshCheck
Explorer

Ikev2 Phase2 is not getting up

Can anyone help me to resolve the issue

 

IKEv2 Phase2 is not getting up and configuration seems to be fine from both the sides

 

Version :R81.20

 

35 Replies
AkosBakos
Leader Leader
Leader

Hi @MaheshCheck 

Everyone of us, were is similiar situations. Please provide more  info about the issue.

I suppose this is a s2s VPN connection.

What is GW version and jumbo take?

Until this try the followings:

  • reset the tunnel on both sides
  • check the ENC_DOMs on both sides, maybe eg.: somewhere the netmask is wrong

And check this SK: https://support.checkpoint.com/results/sk/sk60318

Akos

----------------
\m/_(>_<)_\m/
MaheshCheck
Explorer

Yes ,its S2S VPN 

Firewall version is R81.20 Jumbo Hotfix Take 84

When we select single host ,the tunnel is getting up however whenever we select network , the tunnel is not coming up

We have checked the configuration from both the sides and all network details are correct

 

  • reset the tunnel on both sides-tried but not working
the_rock
Legend
Legend

We need way more info in order to help properly. 

First of all, what is the other side? Do enc settings match? route or domain based? star or mesh? How is tunnel mgmt option configured? ikev1 or ikev2?

Any logs indicating the failure?

Andy

MaheshCheck
Explorer

Domain based ,Star,IKev2

 

Cisco is peer

the_rock
Legend
Legend

If its combo of hosts/subnets. then please try "per gateway"

If that fails, run simple vpn debug.

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

fw ctl debug 0

Get ike* and vpnd* files from $FWDIR/log dir

Message me directly, we can do remote, Im confident I can help you.

Andy

MaheshCheck
Explorer

There are so manu Ike fiels so which one i have to take

 

attached screenshot for reference

the_rock
Legend
Legend

I would review whatever is today's date. Honestly, I feel your best bet is to call TAC, do remote session and Im sure they would be able to figure it out quick. Its not so easy to tell based on these screenshots. 

Andy

the_rock
Legend
Legend

Hey Mahesh,

Im sure you are sleeping as Im writting this, but in case tunnel still does not work when Cisco side checks, they can use below simple commands to do a debug and its very light. This is what guy I used to work with who worked for Cisco TAC gave me once.

Hope it helps (if needed)

Andy


debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

MaheshCheck
Explorer

Thanks Andy. I have shared the above output with Vendor and will let you know results once i hear back from him.

the_rock
Legend
Legend

Sounds good, I feel good about the outcome...fingers crossed!

Andy

MaheshCheck
Explorer

Hi Andy,

The tunnel is not coming up .I took debug output from cisco vendor and also attached Tunnel details

 

Could you please look into debug output and is cisco sending wrong proposal? please suggest

 

attached files

the_rock
Legend
Legend

Thats a bummer : -(. O well, lets see what we can do. I will review soon.

Andy

the_rock
Legend
Legend

Okay, can you make sure it shows ikev2 as per my screenshot below? Also, debug shows crypto map errors, which as far as my knowledge of Cisco goes, literally means phase 2 vpn domain proposals are NOT matching, so can you ask them to verify 100% they have right vpn domain for your side?

Andy

IKEv2-PROTO-4: (44926): Processing IKE_AUTH message
IKEv2-TIMER: Created an IKEv2 timer of type External service timeout
IKEv2-TIMER: Set an IKEv2 timer of type External service timeout for 25 seconds with 0 jitter
IKEv2-PLAT-4: (44926): Crypto Map: No proxy match on map Outside_map seq 1
IKEv2-TIMER: Destroy an IKEv2 timer of type External service timeout
IKEv2-PROTO-7: (44926): Failed to verify the proposed policies
IKEv2-PROTO-2: (44926): There was no IPSEC policy found for received TS

 

Screenshot_1.png

 

the_rock
Legend
Legend

Something else I thought of...so say external peer is 1.2.3.4 (just for sake of commands I want you to run on CP end), please run below when you try to communicate to something on their end (run commands from expert mode of active fw, check which one is active by running cphaprob roles)

tcpdump -enni any host 1.2.3.4 and proto 50

fw ctl zdebug + drop | grep 1.2.3.4

fw ctl debug 0 (to turn off all debugs)

Andy

MaheshCheck
Explorer

Hi Andy,

Thanks for supporting me 

 

I have attached requested logs.

the_rock
Legend
Legend

This 100% tells me enc domains are NOT matching, so please confirm it again and ask them to verify their Cisco side for YOUR enc domain to make sure it is correct.

Andy

 

[Expert@checkpointfw01:0]# fw ctl zdebug + drop | grep 172.20.138.198
@;1274658776.23010;[kern];[tid_16];[SIM4];sim (vpn_encrypt): drop due vpn_ipsec_encrypt returns PKT_DROP(3), conn: <10.10.20.121,50629,172.20.138.198,80,6>;
@;1274658776.23011;[kern];[tid_16];[SIM4];handle_vpn_encryption: ipsec_encrypt failed: failed to find SA. Dropping packet... conn: <10.10.20.121,50629,172.20.138.198,80,6>;
@;1274658776.23012;[kern];[tid_16];[SIM4];sim_pkt_send_drop_notification: (0,0) received drop, reason: Encryption Failed (5), conn: <10.10.20.121,50629,172.20.138.198,80,6>;
@;1274658776.23013;[kern];[tid_16];[SIM4];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <10.10.20.121,50629,172.20.138.198,80,6>;

 

 

bandicam 2024-12-20 07-40-44-725.mp4
Video Player is loading.
Current Time 0:00
Duration 0:00
Loaded: 0%
Stream Type LIVE
Remaining Time 0:00
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
    • en (Main), selected
    (view in My Videos)

    MaheshCheck
    Explorer

    Hi Andy,

    Thank you for your response.

    Could you please guide me on how to check what proposal Checkpoint is sending? Additionally, where can I locate that file, and how can I view it using the IKEview tool?

    the_rock
    Legend
    Legend

    You can download ikeview from below.

    https://support.checkpoint.com/results/sk/sk30994

    To check proposals, you can see it from smart console community object.

    Andy

     

    bandicam 2024-12-20 07-49-01-813.mp4
    Video Player is loading.
    Current Time 0:00
    Duration 0:00
    Loaded: 0%
    Stream Type LIVE
    Remaining Time 0:00
     
    1x
      • Chapters
      • descriptions off, selected
      • captions off, selected
      • en (Main), selected
      (view in My Videos)

      the_rock
      Legend
      Legend

      I would also use commands from below video (what I showed you on zoom the other day). Those can be super useful as well in troubleshooting the tunnel.

      Andy

       

      bandicam 2024-12-20 08-14-44-559.mp4
      Video Player is loading.
      Current Time 0:00
      Duration 0:00
      Loaded: 0%
      Stream Type LIVE
      Remaining Time 0:00
       
      1x
        • Chapters
        • descriptions off, selected
        • captions off, selected
          (view in My Videos)

          the_rock
          Legend
          Legend

          Hey Mahesh,

          Forgot to mention before, when you download debug files from $FWDIR/log dir, see if there is ike trace file, that one would give you lots of details if you "dump" it into ikeview utility.

          Andy

          MaheshCheck
          Explorer

          Thanks andy,I am unable to locate this file $FWDIR/log/ikev2.xml  in /var/log/opt/CPsuite-R81.20/fw1/log/ so could you please help me

          CaseyB
          Advisor

          Sorry for jumping in so late on this. It does appear to be a mismatch from what I am picking up.

          Based on previous replies, are you still doing the tunnel sharing mode of gateway on the Check Point side? If so, does the Cisco side know you are sending a 0.0.0.0/0 IKE ID? 

          My recommendation would be to use a custom VPN Domain on the Check Point side and go back to tunnel sharing mode of subnet. Just build a new network group object, and add the following items as networks:

          10.20.0.0/20
          10.12.0.0/21
          10.10.20.121/32

          As long as Cisco has those 3 subnets defined as "interesting traffic" on their side, it should be fine. 

          the_rock
          Legend
          Legend

          Hey @CaseyB 

          When Mahesh and I did zoom remote, he advised me this was combo of subnets/hosts, so thats why I suggested "per gateway", but they did also try per subnet and it failed.

          I am fairly positive at this point something with vpn domains is not matching, hence the reason why this does not work.

          Andy

          CaseyB
          Advisor

          The "per gateway" is the Check Point way to go for a mix of network and host objects, agreed, but then Check Point sends 0.0.0.0/0, so the other side would have to know to update to that as well. For Cisco, not sure what that configuration looks like.

          I did see the per subnet option was not working, but was that using the global encryption domain? If so, how were the networks defined within that; hopefully, they matched how the workbook was filled out.

          I still think for any IPsec VPN your best bet is to use granular encryption domains for every tunnel.

          The Cisco debug shows if anything was going to work at that time, it would have been the 10.10.20.121/32.

          Cisco_TS.png

           

          the_rock
          Legend
          Legend

          Thats true, but I think the only way for us to know for sure would be to see what their config looks like. 

          Andy

          MaheshCheck
          Explorer

          Thanks for supporting me @CaseyB 

          We have already configured network group object and mentioned in VPN domain however we are facing the same issue

           

          I have attached screenshots from cisco & checkpoint side for reference 

          the_rock
          Legend
          Legend

          Very odd, everything looks right from their end...

          the_rock
          Legend
          Legend

          Also, if you think it would help, Im more than happy to explain this to them, because Im 99.99% sure thats the issue why tunnel is not working.

          Andy

          Leaderboard

          Epsum factorial non deposit quid pro quo hic escorol.

          Upcoming Events

            CheckMates Events