This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gary_Lai
Participant
‎2018-04-30 07:21 PM

Does upgrading to R80.10 result in IPsec is failed

Dear Everyone,

I have two CP15600 GWs (made high availability) and one VM (SMS).

Last month I upgraded  R77.30 SMS to R80.10 (I upgraded using "Upgrade")

However, the status of the HA often changes. (active and standby)
In the Standby Status,"Standby"GW cannot ping 8.8.8.8 and cws.checkpoint.tw and other websites but can ping sync ip and VIP(HA)
In the Active Status, "active" of GW can ping 8.8.8.8 and cws.checkpoint.tw and sync ip and other websites, but you cannot ping VIP (HA).

The same is true when the status of GW changes.

As the status changes, Error will change, Standby's Error is as follows

In addition, I found that IPsec cannot be used and cannot establish a connection with the peer.

I tried some troubleshooting methods as follows.

1.sk83520 how to check connectivity to CP  Confirm that the problem is not a cloud connection.

2. sk97587 https://www.51sec.org/2015/07/checkpoint-standby-cluster-member-interface-not-reachable/     "invalid"

3. sk19423  Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureK... Select the 'Enable back connections' options.                                                "invalid" 

4.https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/htm...

about   offer_nat_t_initator (False-->True)   "invalid"

5.SK40187 "Packet is dropped because there is no valid SA" log when Cluster drops packets  "invalid"

6.Vpn tu (7)Delete all IPsec+IKE SAs for a given peer  "invalid"

 

Yesterday, I changed phase2 AES256 to AES128.Error disappeared(Only "active"GW disappear),

but I still can't connect to the peer.

Currently, SA (only one data) can be seen in all IKE SAs listed in GW1&GW2 VPN tu(1), but sometimes it exists and sometimes does not exist.

I do not know what to do. Rebuild IPsec or Client Tunnel? (PS: peer device is CISCO)

Thank you all !

   

3 Replies
XBensemhoun
Employee
Employee
‎2018-05-01 05:15 AM

Well, first of all, I would open a SR with the Support with cpinfo files from each Security Gateways and the SMS.

Waiting their answer, I would look at some evidence onto debug files. Did you looked at VPN debug files ?

Information Security enthusiast, CISSP, CCSP
0 Kudos
Gary_Lai
Participant
‎2018-05-01 07:31 AM

VPN debug?  is vpn tu?

Thank you.

0 Kudos
XBensemhoun
Employee
Employee
‎2018-05-01 08:36 AM
In response to Gary_Lai

No : I mean using sk33327 How to generate a valid VPN debug, IKE debug and FW Monitor, skI4326 Enabling IKE and VPN debugging and sk30994‌ What is the IKEView utility?

Information Security enthusiast, CISSP, CCSP
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events