Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

ESP traffic dropped by remote party

Hi CheckMates,

 

In a Cluster environment (R80.30) we have a new internet connection and our first task is to migrate the VPN's to the second internet connection. We succesfully did that for multiple VPN's now, but only 2 VPN's have the same issue. I have to say that the new internet connection is a little bit special, since the IP addres of the external interface is used for a transit network with our ISP. The real public IP is on another interface and the ISP routes it to the firewall cluster.

For the last 2 VPN's, we do get succesfully a P1 and P2. Also the remote party is able to sent traffic to us. We can see that traffic in the logs getting decrypted and confirmed that with a packet capture on the Check Point. Unfortunately all the traffic we sent to the remote party, is dropped on the Cisco ASA because the ESP traffic is received on the side from our new external interface ip (the ip used for transit between our Check Point and ISP). 

So this is a legitimate reason to drop our traffic of course. But how can we force the Check Point to sent ESP packets with the right source ip adres? Why do only have 2 of the 7 VPN's this issue? 

I first thought that it had something to do with routing or link selection. But if that is the case, I do not understand why this setup works for the other 5 VPN's.

Thank you in advance!

Regards,

Wesley

5 Replies
Champion
Champion

Please post the settings from these screens in your configuration, feel free to redact IP addresses as needed.  Also is the Main Address on the General Properties screen of the firewall/cluster object set to the transit address or the VPN IP address?  Are any of the other working 5 VPNs Cisco?

VPN_Link.jpg

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Participant

Hi Timothy,

The IP address shown in SmartConsole is a RFC1918 address which is used for the MPLS connection to branch offices. There is also a VPN configured on this interface with the branch offices.

LinkSelection.PNG

Above you find our current settings. TAC advised us to change the Respond Traffic setting to "use outgoing traffic configuration" instead of "Reply from the same interface".

I thought that these were the only VPN's with a Cisco device, but not 100% sure.

 

Regards,

Wesley

Champion
Champion

On the Interoperable Device objects representing the Ciscos that are having the problem, what is Link Selection set for there?

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Participant

All tunnels are IKEv1.