cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections table

Our security gateway sometimes drops packets from IPSec tunnel. The workaround is usually to reinstall policy and the issue will be fixed for a few days.

By using the "fw ctl zdebug drop" to capture the drop message, it says "failed to resolve SA (VPN Error code 01)".

But in the kernel debug, it looks like it cannot find the connection in the connections table.

Has anyone encounter similar issue and has a solution? Thanks in advance!

 

;20Jun2019  3:30:27.466084;[cpu_1];[fw4_2];fwconn_lookup: not found in connections table; 

;20Jun2019  3:30:27.466088;[cpu_1];[fw4_2];forward_if_not_mine: forwarded to another instance (rc=0); 

....

;20Jun2019  3:30:27.466102;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn

10.13.1.29:0 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0> 

 

not found in connections table; 

.....

;20Jun2019  3:30:27.466268;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn

172.28.0.126:15 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0> 

 

not found in connections table; 

;20Jun2019  3:30:27.466282;[cpu_1];[fw4_2]; 

  

vpnk_conn_log: in the kernel  - calling fwchainlog_delayed_rulebase_log with alert -1 ; 

;20Jun2019  3:30:27.466284;[cpu_1];[fw4_2]; 

action = 0  

schemename = IKE  

user =  

methods = ESP: AES-256 + SHA384 + PFS (group 2)  

fail_reason = Encryption/Decryption failure, failed to resolve SA (VPN Error code 01)  

xpo_loghandle = 0 

community_loghandle = 0 

  

0 Kudos
8 Replies
Admin
Admin

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Have you opened a TAC case on this by chance?
0 Kudos

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Yes, I have opened several cases for this issue in the past. The last one I opened is SR# 6-0001657403. Solutions provided included install Jumbo takes, adjust IKE connections and others. But none of these solved the issue. When the issue happen, the pepd process runs high cpu usage. I am not sure which one is the cause and which is the effect.
0 Kudos
Ryan_Ryan
Copper

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Did you ever get a solution to this? We have the exact same problem on R80.20

 

Followed sk122532 which did not solve.

0 Kudos

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Assuming you have at least Jumbo HFA 47 installed, try disabling SecureXL acceleration for VPN with the vpn accel off command.  Note that doing so will cause a disruption of all current VPN tunnels, read sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above thoroughly before doing anything.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Ryan_Ryan
Copper

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Thanks, yes we are JHF 47.

 

I will give this a try, unfortunately it is a bit difficult to test if it was successful, we have the issue happen only once every 2 weeks or so. I like doing it on the basis of per peer, as only 2 route based vpn's are affected where-as my dozen policy based vpn's have never had a hitch in years.

0 Kudos
Ryan_Ryan
Copper

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Hi Timothy,

 

Unfortunately turning VPN accel off has not solved the issue. I performed that change for two peer IP's last week but we had another re-occurrence of the issue after that, 

TAC has not been able to assist, just told me to try my luck with the latest Jumbo. (I will patch the gateways so they continue to investigate).

 

I have a debug taken from when the issue occurred if you are interested to take a look?

 

One new message I hadn't noticed before was this:

dropped by vpn_encrypt_chain Reason: Could not change connection vpn interface.;

that is showing for every session

0 Kudos

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Is this a route-based VPN using VTI's?  If so check this out:

sk119143: "encryption fail reason: Cannot change dynamic vpn interface - new interface not accepted ...

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Ryan_Ryan
Copper

Re: Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections tab

Hello, yes its route based with VTI's (static routing only though)

 

Interestingly, i did have to delete and re-create the interfaces for a separate reason (and did the JHF 91) and have not had a reoccurance of the issue.. so far 🙂

 

0 Kudos