This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rene_Rosenkrant
Participant
‎2018-12-04 04:05 AM

Strange behaviour after R80.20 upgrade

I have a problem that occured on R80.20. In the end we had to move a VPN, Can someone explain why you can have an ESP and ARP broadcast at the same time?

10:12:10.207381 00:12:c1:ce:90:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: x.x.x.x ^ x.x.x.x: ESP(spi=0x78e02e92,seq=0xb7), length 100 10:12:13.210228 00:12:c1:ce:90:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: x.x.x.x ^ x.x.x.x: ESP(spi=0x78e02e92,seq=0xb8), length 100
0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2018-12-04 06:40 PM

Without knowing anything about your configuration or other errors you encountered, what traffic you were trying to initiate through, etc, it's difficult to say why.

Explaining what the different IPs are would be helpful (having them all x.x.x.x doesn't help).

0 Kudos
Rene_Rosenkrant
Participant
‎2018-12-05 01:47 AM
In response to PhoneBoy

Thank you for the answer.  The IPs are both ends of a VPN tunnel. Source IP is the local gateway external IP and the destination is the peer gateway IP.

The IP packet is forwarded to the right interface, so to my understanding the layer 2 part is working. we see no ethertype ARP requests to know the IP.

Still, the packet is forwarded to the outgoing interface, but with a layer 2 broadcast MAC as destination.

Other VPNs are running fine via the same default gateway, the only difference is the peer IP, and for one specific IP, a layer 2 broadcast is send.

This is an example of something that works:

10:14:08.809013 00:12:c1:ce:90:08 ^ 00:00:5e:00:01:33, ethertype IPv4 (0x0800), length 134: 198.45.128.10 ^ 64.62.2.253: ESP(spi=0xce785fc9,seq=0x1f), length 100 (IPs changed)

The question is more, if there is any situation where the packet below is valid according to RFC. I have a ticket with Checkpoint but I wanted to ask here also. 

10:12:10.207381 00:12:c1:ce:90:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: x.x.x.x ^ x.x.x.x: ESP(spi=0x78e02e92,seq=0xb7)

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-05 09:42 AM
In response to Rene_Rosenkrant

The MAC address in question suggests it's going to a VRRP cluster of some sort.

See: Virtual Router Redundancy Protocol - Wikipedia 

What should be the actual next-hop in this case?

0 Kudos
Rene_Rosenkrant
Participant
‎2018-12-07 05:55 AM
In response to PhoneBoy

Yes.

when it Works, the package should be forwarded to 00:00:5e:00:01:33 which is the Internet routers VRRP MAC.

10:14:08.809013 00:12:c1:ce:90:08 ^ 00:00:5e:00:01:33, ethertype IPv4 (0x0800), length 134: 198.45.128.10 ^ x.x.x.x: ESP(spi=0xce785fc9,seq=0x1f), length 100

When it fails the VRRP MAC is replaced with a broadcast MAC.

10:12:10.207381 00:12:c1:ce:90:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 198.45.128.10 ^ x.x.x.x: ESP(spi=0x78e02e92,seq=0xb7), length 100

It is important to mention that this only happened for one VPN!

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-07 11:33 AM
In response to Rene_Rosenkrant

Sounds like a TAC case is in order then.

0 Kudos
Niels_van_Sluis
Contributor
‎2019-02-14 09:48 AM

Did you ever solved this? Seeing the same thing on a VSX platform running R80.20 Take_33.

Rene_Rosenkrant
Participant
‎2019-03-08 03:31 AM
In response to Niels_van_Sluis

Hi. I had a TAC case but its closed now. its not solved. RnD asked for more debugs but we need to continue our upgrades now. I can only encourage everybody, who sees this, to contact support. our ticket was this.

As long as we don't disable secure-XL 'fwaccel off' the VPNs will be stable.

If we disable 'fwaccel off' all VPNs will eventually fall apart and die. some VPNs are impacted at once so be carefull.

it seems like a R80.20 issue.

3-0641880071

0 Kudos
Niels_van_Sluis
Contributor
‎2019-03-15 07:52 AM
In response to Rene_Rosenkrant

Hi Rene,

Thanks for your reply. I can confirm it is related to fwaccel. For more info on that see my other post here:

https://community.checkpoint.com/t5/General-Management-Topics/vpn-r80-20-vsx/td-p/15269

Our case with TAC is still open, however Check Point claims that there are no other customers who have this specific issue. 

Kind regards,

     --Niels

Martijn
Advisor
Advisor
‎2019-11-19 07:03 AM

Hi all,

We have a customer on R80.30 with the same problem and opened a case with TAC. And after a long time it seems to be solved in R80.30 ongoing take 76.

ID: PRJ-1420, PRJ-4740, GAIA-5136 "Improved the VPN connectivity for VSX and User-Space Firewall gateways.

ID: PRJ-4740, PRJ-1420 "In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692."

Check Point support mentioned three customer for which ongoing take 76 was the solution. Our customer performed the first test and it seems his VPN problems are also solved.

Not sure this fix wil be merged into a jumbo on R80.20.

Regards, Martijn

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events