They are cleanup drops. The peers are not behind NAT-T. And then the destination port should be 500/4500, not some random UDP high port. It's the destination port in the log, not the source port.

What is the source port, anything consistent?

I've checked the source port, which strangely does seem to be tunnel_test (UDP 18234). So that's even stranger, since I also see seperate succesful encrypt logs for them. It's like it's sending the tunnel tests twice?

maybe this SK will send you in the right direction

https://support.checkpoint.com/results/sk/sk163835

I've tried making a No NAT for the tunnel_test traffic, but it's still getting NATted behind the cluster IP (which is fine) and random UDP high ports (which is not, it should stay the standard tunnel_test port) based on an implied rule it seems from the logs.

UDP 18234 is a tunnel test feature. 

The behavior you described could be related to Check Point's VPN tunnel testing feature. 

The VPN tunnel testing protocol is designed to ensure that the VPN tunnels are functioning properly and can handle traffic. It periodically sends test packets between the gateways to verify the connectivity and integrity of the VPN tunnels.

Also, 

To stop this behavior, you can disable the VPN tunnel testing feature. Here are the steps to disable VPN tunnel testing in Check Point:

1. Log in to the SmartConsole (Check Point management interface).

2. Go to the "Network Management" tab.

3. Select "VPN" from the left-hand menu.

4. In the VPN section, click on "VPN Tunnel Sharing".

5. In the "VPN Tunnel Sharing" window, select the relevant VPN community.

6. Click on the "Advanced" button.

7. In the "Advanced VPN Tunnel Sharing" window, uncheck the option for "Enable VPN tunnel testing".

8. Click "OK" to save the changes.

Not quite sure where you want me to go. The only tab called 'Network Management' that I know of is on gateway objects.

Fair enough, let's try a different approach: 

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SitetoSiteVPN_AdminGuide/Top...

Thanks, but that doesn't describe anything about disabling tunnel testing.

Also, I don't want to disable tunnel_testing, I want the gateway to stop source port NATing it for some strange reason 🙂

The tunnels themselves all work, but the log is getting unnecesarrily spammed with the high UDP port traffic hitting the cleanup rule, while it should be accepted on an implied rule as a control connection.

Permanent tunnels are enabled, but it's all CP <-> CP, so using tunnel_test. The tunnel_test traffic is getting encrypted and is a completely different port then the ones we're seeing dropped. Tunnel_test is all UDP 18234, hitting the implied rule.

please share the source ports.

Also maybe traffic capture and VPN debug will tell you more. I think it is DPD

I have a rule of thumb, never treat a Check Point issue with logic 😉

Is this a joke? If not, can you please elaborate?

What I really meant but generalized as I say that a lot on conference tshoot calls. Especially when other Vendor FW's are involved it is usually CP weird behavior or CP interpretation of RFC's differ a lot from other vendors - exact example not coming to mind but there was a couple with IPsec VPNs we had to adjust behaviors to make compatible.

Also where customers saying "this 'should' be how it is behaving because of how such and such is configured" which I will not accept as an answer until I see the behavior happening/Not happening.

Then if logic does not prevail it is usually a coding issue.
E.g.1 Return decrypted traffic reaching the FW but not re-entering the tunnel and silently dropped - R&D hotfix.
E.g.2 Cert CRL default changed in jumboHF to OCSP. The FW not able to reach OCSP and should revert to CRL URL but does not. VPN cert auth fails. R&D fix for IkeV2 needed.
I have a few more examples from the past few years I could go find from saved notes.

I assure you, vendor interoperability with IPsec is not a unique thing with Check Point. All vendors have their own "dialect" of the RFCs. The RFCs just state how the end result should appear; it's up to the specific vendors to code this into their products.  Back in the early 2000s, I did IPsec interoperability testing with numerous vendors at the time (Check Point, Cisco IOS routers, WatchGuard, PGPnet, Linux FreeSWAN, one or two others I forget now).  Each one had their own quirks.

Nowadays, things are MUCH better for all vendors, but even so there are still some things that come up from time-to-time.  No one vendor is innocent, but some were more guilty than others. IKEv2 has helped matters greatly, for all vendors.  A lot of things for IKEv1 literally were "made up as we went along" [NAT-T and DPD in particular].

Check Point does the job very well these days.  R&D has done great work improving their VPN code!

I never managed to actually solve it, I just made a specific anti-log rule for the involved gateways so it's not a waste of log capacity.  The rule has 14 million hits in about 6 months.

Maybe "Tunnel Testing fails after an upgrade" can be relevant here ?

We only have this issue with SMB gateways, so the fixed JHF's / SK is not relevant.

We have a meshed VPN community between two Gaia clusters running R81.20 JFHA take 84, and we still see this issue. These same Gaia clusters are also part of a star VPN community where they are the central gateway and SMB devices are the satellites. We also see the problem here. Even stranger - since we upgraded the Gaia clusters to R81.20 (they were previously running R81.10) I do not even see them listening on port 18234 (netstat -anp | grep :18234 returns nothing) even though I can see tunnel test traffic on UDP 18234 going to/from these gateways. It just gets weirder.

Dave

We have the exact same problem, TAC involve but no solution yet. Does somebody solve this issue?