Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bezeq_int
Participant

error Clear text packet should be encrypted

Yesterday we upgraded the mgmt from r80.40 to r81.20

and we have two firewalls still on r80.40

the site to site on the firewalls still up but the icmp/snmp traffic generated from same source ip addresses in the tunnel are being dropped with this error message:

@;3243628120;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 x.x.x.x:56134 -> y.y.y.y:161 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

@;3243632857;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 x.x.x.x:52 ->y.y.y.y:0 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

on the mgmt we edited this file: //opt/CPsuite-R81.20/fw1/lib/crypt.def  last lines to:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=y.y.y.y or dst=z.z.z.z)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

the problem is still occurring

how to fix this ?

please advice

thanks

 

 

0 Kudos
8 Replies
the_rock
Legend
Legend

Let me see if I can find some stuff about this, it might be known issue if gateways are still on R80.40

Andy

0 Kudos
the_rock
Legend
Legend

K, found it...MAKE SURE to backup the files first, of course

# cd $FWDIR/conf
# cp user.def.FW1 user.def.R8040CMP
 
Thats it. Then push the policy.
Andy
0 Kudos
bezeq_int
Participant

No sir, that also did not fix the issue

 

[Expert@CP-MGMT:0]# cd $FWDIR/conf
[Expert@CP-MGMT:0]# pwd
/opt/CPsuite-R81.20/fw1/conf
[Expert@CP-MGMT:0]# ll | grep user.def
...
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
...
-rw-r----- 1 admin bin 732 Nov 16 2022 user.def.R8040CMP
...
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# cp user.def.FW1 user.def.R8040CMP
[Expert@CP-MGMT:0]#
[Expert@CP-MGMT:0]# ll | grep user.def.FW
-rwxrwx--- 1 admin bin 882 Mar 7 20:44 user.def.FW1
[Expert@CP-MGMT:0]# ll | grep user.def.R
....
-rw-r----- 1 admin bin 882 Mar 8 18:56 user.def.R8040CMP

 

 

0 Kudos
the_rock
Legend
Legend

Did you install the policy?

0 Kudos
bezeq_int
Participant

sure i did 🙂

the_rock
Legend
Legend

K, fair enough. If thats the case, I dont want to tell you to modify anything else with that file, as Im worried we may make it worse and no one wants that on the weekend lol

Anyway...maybe reverse all the changes and lets take a step back here. So, IF its saying clear packet should be encrypted, logically, that insinuates to me that something is missing in the enc. domain possibly...can you check?

Best,

Andy

0 Kudos
bezeq_int
Participant

thankyou

we'll check with TAC

0 Kudos
Jelle_Hazenberg
Collaborator
Collaborator

Hi bezeq_int,

So, it's a while ago but any chance you could still share the outcome of your TAC case? Would be great for me but also other people crawling these topics.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events