This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
Advisor
Advisor
‎2020-02-10 01:24 AM

GRE traffic not shown in log

Hi all,

Two weeks ago, I migrated a R77.30 cluster on 12200 appliances to a R80.30 cluster on 6500 appliances. Installed jumbo hotfix is take 111.

It was an advanced migration, so we installed a new SmartCenter, exported the database from R77.30 to R80.30 with the R80 migration tools and imported the database with the same migration tools. Rule base, IP interfaces and routes did not changed. Also nothing was changed on the network.

The migration was successful and no problems where reported. But we have one strange issue with the log of GRE tunnels. 

Customer has several GRE tunnels passing the Check Point gateway (so Check Point is not an endpoint for these GRE tunnels) and these GRE tunnels are working fine.  But we do not see any logs regarding GRE in SmartLog. Even when the GRE tunnel is initiated again. We can see the traffic with tcpdump and fw monitor, but SmartLog remains empty.

When we look at SmartLog from the old R77.30 environment (we still have access to the old SmartCenter) we can see logs regarding GRE. 

Has anyone seen this before on R80.30? I have a case open with Check Point support, but the chances are we need to run a debug and initiate the GRE tunnel again. And initiating the GRE tunnel causes a big impact on the customers processes.

So I hope one of you has seen this before and has a solution that does not involve initiating the tunnel again.

Thanks.

Regards, 

Martijn.

 

11 Replies
PhoneBoy
Admin
Admin
‎2020-02-11 02:04 PM

Hadn’t heard of this being an issue.
It likely needs to be debugged to find the root cause, though.
0 Kudos
Gomboragchaa
Advisor
‎2020-02-11 05:55 PM

As far I know on R80.10 catch GRE Tunnel connection logs.

Check the GRE-47 protocol on services and rule log configurations 🙂

0 Kudos
Martijn
Advisor
Advisor
‎2020-02-14 01:18 AM

Hi,

We maybe have an idea of what is going on and would like to know how you think of this idea.

In the R77.30 setup, the VPN blade was enabled because in the past the Check Point cluster was used for VPN tunnels. In the new R88.30 setup, the VPN blade is disabled because the Check Point cluster is not used for VPN tunnels anymore.

Maybe the VPN blade is needed for the logging of GRE traffic even Check Point is not an endpoint for the GRE tunnels.

I have asked this question also on the support engineer, but maybe one of you has the answer.

Regards,

Martijn.

JanVC
Collaborator
‎2020-03-09 10:06 AM
In response to Martijn

we have the exact same issue, GRE is not shown in smartlog but is visible in tcpdump

VPN blade is active on this cluster

R80.30 jumbo 111

John_Fleming
Advisor
‎2020-03-09 11:32 AM

Can you tell how long the GRE tunnel has been up? I'm thinking the only time you're going to see GRE logged is the first time a connection is built and state is created. Once state is created I wouldn't expect to see logs again.

If you know how long the GRE tunnel has been up then you could go to that log file and search there.

The other option, which you said isn't really an option, would be to down one of the GRE tunnels long enough for it to be removed from state table and then bring it back up. 

JanVC
Collaborator
‎2020-03-09 11:53 AM
In response to John_Fleming

I don't have access to the devices terminating the gre tunnel, so I can't verify the uptime myself.
Searching the logs for the last 7 days doesn't return any results for the IP's I can see talking gre to eachother.

In the logs I do see gre traffic for other hosts over an ipsec tunnel, so it's not that I don't see any gre in general, just not for those hosts in perticular.
Martijn
Advisor
Advisor
‎2020-03-10 03:21 AM

Hi all,

Thanks for all the replies.

We have tested by enabling the VPN blade, but this did not help. So we disabled the VPN blade again.

We have a case with support and they asked to check SmartView Tracker to see if GRE traffic was seen there. This was not the case. Now R&D is involved and we wait for an answer about GRE logging in R80.30. Was something changed in the code? We did not get an answer yet.

Maybe we will install take 155, but I cannot see anything relevant in the release notes, so not sure if this will fix our problem.

Customer has a test setup, so we can reset a GRE tunnel when we want to. The GRE tunnels comes up after resetting, but SmartLog remains empty.

I hope to get an answer from R&D soon and maybe a debug plan to investigate.

I will keep you posted.

Regards,

Martijn

0 Kudos
John_Fleming
Advisor
‎2020-03-10 09:20 AM
In response to Martijn

one of my colleages setup a small replication. R80.30 no jumbo hotfix and setup to cisco routes between them. At first we weren't seeing GRE in the logs but after flipping around a few setting we're now seeing the GRE logs. We're not sure if we just missed something at first. 

What we did was enable implied rule logging.

make a specific rule with GRE in it.

blocked GRE. <- started seeing logs here.

Clear connections table.

Go back to GRE rule with accept. Got logs.

blocked GRE. Got logs

Set final rule to allow (basically match an any service) and still got logs.

We also turned off implied rules, cleared connections table and still got logs.

 

I highly doubt that helps but we tried. 🙂

 

0 Kudos
Martijn
Advisor
Advisor
‎2020-03-10 10:21 AM
In response to John_Fleming

John,

Thanks for the information.

Customer send me an email telling me they are seeing GRE traffic in now. They did not change anything and no new software was installed. But from March 4th, GRE traffic is visible in SmartLog.

When they look to see what was change, they see the following in the log:

Time:                           2020-03-04T01:03:29Z

Id:                             ac130f8c-b416-a50b-5e5e-fe61db540000

Sequencenum:                    42

Subject:                        Revision Control

Operation:                      Publish

Client IP:                      xxx.xxx.xxx.xxx

Administrator:                  System

Session Name:                   Global Domain Assignment

Session Description:            Global Domain Assignment

Mobile Access Session UID:      9769fac6-d5a9-4e75-a7ee-50ee079c283a

Sendtotrackerasadvancedauditlog:0

Changes:                        41 Objects were changed

Type:                           Audit

Application:                    SmartConsole

Origin:                         XXXXXXXXXX

Product Family:                 Network

Marker:                         @A@@B@1583276400@C@43

Log Server Origin:              xxx.xxx.xxx.xxx

Orig Log Server Ip:             xxx.xxx.xxx.xxx

Duplicated:                     1

Severity:                       Informational

Stored:                         true

Description:                    Publish was performed by System

Not sure what this means and what those 41 objects are. I have asked support if this is relevant somehow.

Regards,

Martijn

0 Kudos
John_Fleming
Advisor
‎2020-03-10 11:18 AM
In response to Martijn

This is a policy edit not a firewall log for traffic passing from the looks of it.

0 Kudos
Martijn
Advisor
Advisor
‎2020-04-17 01:29 AM

Hi,

We installed take 155 on R80.30 and customer is now seeing GRE traffic in SmartLog.

The debug created by TAC did not provided a cause of the issue and the need more to investigate. But this is not needed anymore with take 155 because it works.

Regards,

Martijn.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events