Re: error Clear text packet should be encrypted

bezeq_int · ‎2024-03-08

Yesterday we upgraded the mgmt from r80.40 to r81.20

and we have two firewalls still on r80.40

the site to site on the firewalls still up but the icmp/snmp traffic generated from same source ip addresses in the tunnel are being dropped with this error message:

@;3243628120;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 x.x.x.x:56134 -> y.y.y.y:161 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

@;3243632857;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:52 ->y.y.y.y:0 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

on the mgmt we edited this file: //opt/CPsuite-R81.20/fw1/lib/crypt.def last lines to:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

the problem is still occurring

how to fix this ?

please advice

thanks

the_rock · ‎2024-03-08

Let me see if I can find some stuff about this, it might be known issue if gateways are still on R80.40

Andy

Best,
Andy

the_rock · ‎2024-03-08

K, found it...MAKE SURE to backup the files first, of course

# cd $FWDIR/conf

# cp user.def.FW1 user.def.R8040CMP

Thats it. Then push the policy.

Andy

Best,
Andy

bezeq_int · ‎2024-03-08

No sir, that also did not fix the issue

[Expert@CP-MGMT:0]# cd $FWDIR/conf
[Expert@CP-MGMT:0]# pwd
/opt/CPsuite-R81.20/fw1/conf
[Expert@CP-MGMT:0]# ll | grep user.def
...
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
...
-rw-r----- 1 admin bin 732 Nov 16 2022 user.def.R8040CMP
...
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# cp user.def.FW1 user.def.R8040CMP
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# ll | grep user.def.FW
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
[Expert@CP-MGMT:0]# ll | grep user.def.R
....
-rw-r----- 1 admin bin 882 Mar 8 18:56 user.def.R8040CMP

the_rock · ‎2024-03-08

Did you install the policy?

Best,
Andy

bezeq_int · ‎2024-03-08

sure i did 🙂

the_rock · ‎2024-03-08

K, fair enough. If thats the case, I dont want to tell you to modify anything else with that file, as Im worried we may make it worse and no one wants that on the weekend lol

Anyway...maybe reverse all the changes and lets take a step back here. So, IF its saying clear packet should be encrypted, logically, that insinuates to me that something is missing in the enc. domain possibly...can you check?

Best,

Andy

Best,
Andy

bezeq_int · ‎2024-03-08

thankyou

we'll check with TAC

_Jelle · ‎2024-11-18

Hi bezeq_int,

So, it's a while ago but any chance you could still share the outcome of your TAC case? Would be great for me but also other people crawling these topics.

KeonNg · ‎2025-12-22

Hi @bezeq_int

Seeking for your update as well the feedback from TAC. Thank you.

What I suspect from here is that whether you need to remove the line:

#define NON_VPN_TRAFFIC_RULES 0

since you have rules define:

#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)

But im not sure.

the_rock · ‎2025-12-23

See if this explanation by @Bob_Zimmerman helps. I know maybe not exact same scenarion, but it is relevant.

https://community.checkpoint.com/t5/Security-Gateways/Unnumbered-VTI-to-3rd-party-gateway/m-p/137471...

Best,
Andy

the_rock · ‎2026-01-01

Hey mate,

Happy new year!

Any progress with this?

Best,
Andy

Bob_Zimmerman · ‎2025-12-23

This message means the source is in a peer's encryption domain and the destination is in the local encryption domain. The firewall is saying it should have received this traffic over a VPN with that peer.

Think of it like antispoofing for VPNs.

"According to the policy, the packet should not have been decrypted" is similar, but the other way around: the local system decrypted the packet, but the source isn't in that peer's encryption domain or the destination isn't in the local encryption domain.

Are you a member of CheckMates?

error Clear text packet should be encrypted