Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

R80.40 IPSEC VPN shows stuck at Phase I but is fully operational

I have a R80.40 lab with three Check Point gateways. One distributed environment (managed by separate management server) and the other two are standalone (gateway and management on same device). 

I have site to site VPNs configured as follows: -

1. from Main GW to Remote GW1

2. from Main GW to Remote GW2

 

VPNs show in SmartView monitor as Up - Phase I but when I look at vpn tu on the cli I see phase II tunnels formed: -

 

SAs of all instances:

Peer 192.168.101.11 , RemoteGW1 SAs:

IKE SA <b026ba653a85f493,13cd8ad810ce962a>
INBOUND:
1. 0x97698d60 (i: 0)
OUTBOUND:
1. 0x5c3cf41e (i: 0)

Peer 192.168.101.12 , RemoteGW2 SAs:

IKE SA <c33a8776de4d53f1,62554189591c0af1>
INBOUND:
1. 0xa306b733 (i: 1)
OUTBOUND:
1. 0x53ff98e0 (i: 1)

 

the IKE.elg also shows three messages in quick mode. 

 

I have also cleared the tunnel down and brought it up by initiating traffic firstly from local network (issuing a ping from PC1 to remote PC 2) and then secondly from remote network (issuing ping from remote PC2 to local PC1). 

 

Has anyone seen this before?

 

 

 

9 Replies
Highlighted
Admin
Admin

Just to clarify, SmartView Monitor is not showing the VPN up but it actually is?
Please open a TAC case.
0 Kudos
Highlighted
Nickel

That is correct.

This is in a lab environment so no support unfortunately. That's why I was wondering if anyone else had seen this or if it was something specific to my lab.
0 Kudos
Highlighted

Hi @scottikon 

This issue always occurs if both gateways are in the same external network with the external interface.

Add a router instance beetween VPN gateways in your LAB:

internal network A <> Gateway A <> Router <> Gateway B <> internal network B)   
                                                           <---VPN--->

 

Tags (1)
Highlighted
Nickel

Thanks Heiko, I will give this a try
0 Kudos
Highlighted
Nickel

Unfortunately I put a virtual SRX in packet mode (router) in between the Check Point external interfaces and the VPN is still showing as Phase I. Even though tunnel utility shows full VPN established and the logs show encrypt/decrypt and quick mode key installs. 

0 Kudos
Highlighted

 

I too observed this in our production environment with R80.40. I am installing latest Hotfix to see if it resolves the issue.

0 Kudos
Highlighted
Nickel

Thanks Narsimha, be good to hear from you once you have done that.

0 Kudos
Highlighted
Ivory

Hello Mates,

 

Does anybody have any update regarding this symptom? I can observe this behaviour after upgrading from R80.20 to R80.40 JHA48.

All of the S2S tunnels operate noramlly, but in SmartView Monitor all of them show State UP - Phase 1

Additionally it is production environment, not lab.

 

Thanks for all,

Gabor

0 Kudos
Highlighted
Platinum

Same here. But I don't mind as long as VPN actually works.

0 Kudos