This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2023-04-29 07:25 AM

This is weird! Traffic is not going through Tunnel (Policy based)

Hi Folks,

This is really weird issue I am facing. I was on single firewall which is being managed by separate management server. I am now migrating the setup on cluster. This firewall is on R80.30.

Now I got the one more appliance of same model hence I decided to configure that appliance as a cluster (This is R80.40)and let it be a single member in cluster. So if the activity is successful I could then format existing firewall and directly add it as a secondary in cluster.

Everything went as planned and able to restore all the things correctly except vpn tunnel which was policy based. I can see the tunnel is up both the P1 and P2 are up but I don't see the traffic is being encrypted in smart log. Policy was not matching,

I did all the things I could do but still no luck. The one weird thing I observed that I was able to ping peer IP from new cluster member. Which was not happening from old member and this is a expected behavior.

Finally now I have taken the fw ctl debug and analyzing it,

Any hints are much appreciated.

 

TIA

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
8 Replies
the_rock
Legend
Legend
‎2023-04-29 09:41 AM

Maybe try vpn accel off peer_ip?

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-04-29 12:45 PM

Make sure clustering is enabled in cpconfig from the CLI of the new gateway.  Failure to have this set (even in a cluster of one) will have all kinds of strange effects if the gateway is configured as a cluster in SmartConsole.

Recheck the VPN domain of the cluster object and of the peer, source IP must fall into the VPN domain of the cluster object AND destination must fall within the defined VPN domain of the peer for encryption to start.  

The rule permitting the traffic into the VPN tunnel must match the pre-NAT IP addresses for both source and destination if you are NATting traffic into the tunnel to avoid a RFC1918 conflict.  Try setting the VPN column of the rule that is supposed to permit the traffic to "Any" and see if that helps.

Also a common element that can get lost in configuration transfers is failing to set "Disable NAT in VPN Community" if you don't need to NAT traffic into the VPN tunnel.

Other than that we will need to see the Key Install messages for the IKE negotiation to diagnose further, specifically the Proxy-IDs/subnets that are negotiated.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
the_rock
Legend
Legend
‎2023-04-29 02:05 PM
In response to Timothy_Hall

Great point @Timothy_Hall about clustering. I had customer once only set one member in cluster object in smart console (they were waiting for other one to be configured the next day) and guy forgot to set clustering to enabled from cpconfig. Honestly, I never logically thought either before then that it was needed in such situations, but definitely is.

Live and learn : - )

Andy

0 Kudos
Blason_R
Leader
Leader
‎2023-04-29 09:13 PM
In response to the_rock

Well if that is the case then when I run cphaprob stat it shows as a Active member; that indicates HA module has started. Since we had to revert to old appliance I do not have the new cluster handy to run those commands and see. 

Any way I am investigating kernel debugs and see.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
Legend
Legend
‎2023-04-30 06:54 AM
In response to Blason_R

K, fair enough. Im not really sure what TAC uses to analyze those large kernel debug files, but I know in the past, they had something internal (that was not available to customers...at least thats what TAC esc. guy from DTAC told me once)

Andy

0 Kudos
Blason_R
Leader
Leader
‎2023-04-30 07:02 AM
In response to the_rock

Hmm - well I am just using vim tricks to search for the destination IP address and then relevant errors.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2023-04-30 07:03 AM
In response to Blason_R

You can do that too...not sure how effective it is on really large files, but I used it before.

0 Kudos
the_rock
Legend
Legend
‎2023-04-30 01:59 PM
In response to Blason_R

If files can be sent securely, I would be happy to have a look as well myself, as long as you can provide all the relevant info.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top