Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gary_Lai
Participant

Does upgrading to R80.10 result in IPsec is failed

Dear Everyone,

I have two CP15600 GWs (made high availability) and one VM (SMS).

Last month I upgraded  R77.30 SMS to R80.10 (I upgraded using "Upgrade")

However, the status of the HA often changes. (active and standby)
In the Standby Status,"Standby"GW cannot ping 8.8.8.8 and cws.checkpoint.tw and other websites but can ping sync ip and VIP(HA)
In the Active Status, "active" of GW can ping 8.8.8.8 and cws.checkpoint.tw and sync ip and other websites, but you cannot ping VIP (HA).

The same is true when the status of GW changes.

As the status changes, Error will change, Standby's Error is as follows

In addition, I found that IPsec cannot be used and cannot establish a connection with the peer.

I tried some troubleshooting methods as follows.

1.sk83520 how to check connectivity to CP  Confirm that the problem is not a cloud connection.

2. sk97587 https://www.51sec.org/2015/07/checkpoint-standby-cluster-member-interface-not-reachable/     "invalid"

3. sk19423  Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureK... Select the 'Enable back connections' options.                                                "invalid" 

4.https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/htm...

about   offer_nat_t_initator (False-->True)   "invalid"

5.SK40187 "Packet is dropped because there is no valid SA" log when Cluster drops packets  "invalid"

6.Vpn tu (7)Delete all IPsec+IKE SAs for a given peer  "invalid"

 

Yesterday, I changed phase2 AES256 to AES128.Error disappeared(Only "active"GW disappear),

but I still can't connect to the peer.

Currently, SA (only one data) can be seen in all IKE SAs listed in GW1&GW2 VPN tu(1), but sometimes it exists and sometimes does not exist.

I do not know what to do. Rebuild IPsec or Client Tunnel? (PS: peer device is CISCO)

Thank you all !

   

3 Replies
XBensemhoun
Employee
Employee

Well, first of all, I would open a SR with the Support with cpinfo files from each Security Gateways and the SMS.

Waiting their answer, I would look at some evidence onto debug files. Did you looked at VPN debug files ?

Information Security enthusiast, CISSP, CCSP
0 Kudos
Gary_Lai
Participant

VPN debug?  is vpn tu?

Thank you.

0 Kudos
XBensemhoun
Employee
Employee

No : I mean using sk33327 How to generate a valid VPN debug, IKE debug and FW Monitor, skI4326 Enabling IKE and VPN debugging and sk30994‌ What is the IKEView utility?

Information Security enthusiast, CISSP, CCSP
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events