cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

R80.20 Ipsec VPN issues

Hi,

 

After upgrade to r80.20 in multiple gateway, we started having issue with a lot of VPN that were running without problem in 80.10

 

case 1 : VPN with partner down, i had to make him disable NAT-T option for it to work again.

Case 2 (most critical) : Amazon Web Services, once phase 2 proposition from aws come, CP accept it, then decide to propose again another negotiation, during few minutes complete cut out of the traffic.

 

Other cases in other GW with simlar issues.

 

Opened a case in the TAC, they made me install some special hotfix, with no succes.

 

What changed in R80.20 regarding vpn ? i hope there is a solution for these issues.

 

[CPFC]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

[MGMT]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

[FW1]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87
HOTFIX_R80_20_JHF_T87_190_MAIN
HOTFIX_R80_20_JHF_T87_174_MAIN
HOTFIX_R80_20_JHF_87_90_002_MAIN

FW1 build number:
This is Check Point's software version R80.20 - Build 100
kernel: R80.20 - Build 001

[SecurePlatform]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

[CPinfo]
No hotfixes..

[DIAG]
No hotfixes..

[PPACK]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

[CVPN]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

[CPUpdates]
BUNDLE_R80_20_JUMBO_HF_MAIN Take: 87

0 Kudos
9 Replies

Re: R80.20 Ipsec VPN issues

There were major changes to SecureXL in R80.20.  Try disabling SecureXL VPN acceleration for the problematic peers using the vpn accel command (added in R80.20 Jumbo Take 47) as specified here:

sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: R80.20 Ipsec VPN issues

I've done it yesterday to do some fw monitor, i left it off, guess what, no issues today for AWS vpn... so indeed it's a workaround.

Can you please enlighten me on the core issue ? it's a bit disapointed to disable acceleration to fix this issue.

thx as always.
0 Kudos

Re: R80.20 Ipsec VPN issues

Actually in R80.20 Jumbo HFA Take 73 and later, you don't need to disable SecureXL to get a complete fw monitor capture.

I assume you disabled SecureXL with the fwaccel off command, which is not a permanent fix and may cause performance issues. Any time that SecureXL needs to be disabled to make things work it is always a good idea to open a TAC case so they can figure out why.  That said, I'd recommend the following (note doing the following will cause a brief VPN outage):

1) Disable SecureXL acceleration for the problematic VPN peers via the vpn accel command (you can also disable all SecureXL VPN acceleration with the vpn accel off command).

2) Turn SecureXL back on with fwaccel on (or just reboot).

SecureXL was completely overhauled in R80.20 in preparation for the upcoming Falcon accelerator cards.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: R80.20 Ipsec VPN issues

i used vpn accel peerip not fwaccel off sorry.

I keep having incidents for s2s vpn poping 😄 i guess i need to disable it for almost all of them.

i'll check with the tac also.
0 Kudos
wizzolo
Ivory

Re: R80.20 Ipsec VPN issues

Hi,

 

i've used for the same issue the command vpn accel off for a particular peer and seem to fix the problem but after installation policy the vpn stops to working and I need to use vpn tu to reset the tunnel.

 

Any idea ?

 

Thank you

0 Kudos

Re: R80.20 Ipsec VPN issues

Hi wizzolo,

Do you have keep IKE SAs checked?

In any case if it is checked or not I would advise to open a ticket to TAC as it is not an expected behavior.

 

0 Kudos

Re: R80.20 Ipsec VPN issues

Hi Khalid,

I would like to get more details regarding different SXL VPN issues you are having.

Currently we do not have known VPN issues with SXL which are present in the latest R80.20 JHF.

In case you still have difficulties with it - I would prioritize it in our group.

Are you running the latest JHF take?

Can you share the SRs which are still unresolved, or resolved, but fixes still not inside JHF?

0 Kudos

Re: R80.20 Ipsec VPN issues

Hi Vitaly,

Yes i have keep IKE SA enabeld, and we are running Take 87 HF.

I of course have a case with the TAC, now it's with an escalation engineer, he suggested to install latest non GA jumbo as first solution.

Kr,

Khalid
0 Kudos
wizzolo
Ivory

Re: R80.20 Ipsec VPN issues

Just to share my point, I've the  Take: 103 with the issue

 

0 Kudos