This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bezeq_int
Participant
‎2024-03-08 08:27 AM

error Clear text packet should be encrypted

Yesterday we upgraded the mgmt from r80.40 to r81.20

and we have two firewalls still on r80.40

the site to site on the firewalls still up but the icmp/snmp traffic generated from same source ip addresses in the tunnel are being dropped with this error message:

@;3243628120;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 x.x.x.x:56134 -> y.y.y.y:161 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

@;3243632857;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:52 ->y.y.y.y:0 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

on the mgmt we edited this file: //opt/CPsuite-R81.20/fw1/lib/crypt.def  last lines to:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

the problem is still occurring

how to fix this ?

please advice

thanks

 

 

0 Kudos
12 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-03-08 08:40 AM

Let me see if I can find some stuff about this, it might be known issue if gateways are still on R80.40

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-03-08 08:41 AM

K, found it...MAKE SURE to backup the files first, of course

# cd $FWDIR/conf
# cp user.def.FW1 user.def.R8040CMP
 
Thats it. Then push the policy.
Andy
Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
bezeq_int
Participant
‎2024-03-08 09:07 AM
In response to the_rock

No sir, that also did not fix the issue

 

[Expert@CP-MGMT:0]# cd $FWDIR/conf
[Expert@CP-MGMT:0]# pwd
/opt/CPsuite-R81.20/fw1/conf
[Expert@CP-MGMT:0]# ll | grep user.def
...
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
...
-rw-r----- 1 admin bin 732 Nov 16 2022 user.def.R8040CMP
...
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# cp user.def.FW1 user.def.R8040CMP
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# ll | grep user.def.FW
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
[Expert@CP-MGMT:0]# ll | grep user.def.R
....
-rw-r----- 1 admin bin 882 Mar 8 18:56 user.def.R8040CMP

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-03-08 09:28 AM
In response to bezeq_int

Did you install the policy?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
bezeq_int
Participant
‎2024-03-08 09:35 AM
In response to the_rock

sure i did 🙂

the_rock
MVP Diamond
MVP Diamond
‎2024-03-08 10:07 AM
In response to bezeq_int

K, fair enough. If thats the case, I dont want to tell you to modify anything else with that file, as Im worried we may make it worse and no one wants that on the weekend lol

Anyway...maybe reverse all the changes and lets take a step back here. So, IF its saying clear packet should be encrypted, logically, that insinuates to me that something is missing in the enc. domain possibly...can you check?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
bezeq_int
Participant
‎2024-03-08 10:39 AM
In response to the_rock

thankyou

we'll check with TAC

0 Kudos
_Jelle
Collaborator
Collaborator
‎2024-11-18 07:25 AM
In response to bezeq_int

Hi bezeq_int,

So, it's a while ago but any chance you could still share the outcome of your TAC case? Would be great for me but also other people crawling these topics.

0 Kudos
KeonNg
Participant
‎2025-12-22 07:06 PM
In response to bezeq_int

Hi @bezeq_int 

 

Seeking for your update as well the feedback from TAC. Thank you.

 

What I suspect from here is that whether you need to remove the line:

#define NON_VPN_TRAFFIC_RULES 0

since you have rules define:

#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)

But im not sure.

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-23 07:46 AM
In response to KeonNg

See if this explanation by @Bob_Zimmerman helps. I know maybe not exact same scenarion, but it is relevant.

https://community.checkpoint.com/t5/Security-Gateways/Unnumbered-VTI-to-3rd-party-gateway/m-p/137471...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-01 06:44 PM
In response to bezeq_int

Hey mate,

Happy new year!

Any progress with this?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-12-23 07:19 AM

This message means the source is in a peer's encryption domain and the destination is in the local encryption domain. The firewall is saying it should have received this traffic over a VPN with that peer.

Think of it like antispoofing for VPNs.

"According to the policy, the packet should not have been decrypted" is similar, but the other way around: the local system decrypted the packet, but the source isn't in that peer's encryption domain or the destination isn't in the local encryption domain.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events