Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

IPSec VPN tunnel stuck at phase 1 ESP traffic dropped

Hi all,

 

So, we're currently having issue with our IPSec vpn tunnel, where all of the tunnels stuck at phase 1 when i saw the status on SmartView Monitor. Btw, we are using ClusterXL that has two cluster member (80.20 gateway).

Log for outbound traffic via ipsec tunnel shows encrypted status. But there is no inbound traffic.

Our log indicates that ESP Traffics are dropped and "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found" and there is also error regarding Unknown SPI.

I looked for list of IKE and IPSEC sa using "vpn tu" on the active cluster member (FW-1). It showed nothing. There are no IKE and IPSEC sa on the active cluster. But on the standby member (FW-2), it showed the list of IKE and IPSEC sa.

I tried to bring up the standby member (FW-2), but the error still the same. Now it's the opposite. The IPSEC and IKE did not show up on FW-1 (active member), but they were present on the FW-2 (standby member).

Now i'm thinking about disabling and enabling the IPSec VPN software blade for the cluster. how do you think of this?

Kindly need your help and advise regarding this issues.

0 Kudos
2 Replies
Highlighted

Our log indicates that ESP Traffics are dropped and "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found" and there is also error regarding Unknown SPI.

The other end doesn't realize the tunnel is dead and is continuing to send traffic referencing a tunnel that no longer exists on the Check Point side.  The other end needs to reset its tunnels, this is most typically caused in an interoperable VPN scenario where "Delete SA" notifications are not being handled properly between the peers after a peer gateway restarts, or the IKE Phase 1 and Phase 2 SA timers do not match between the two sides.

 

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted

Hello everybody,

I confirm this behavior on version 80.30 taka 191.
The VPN solution is very unstable.

For stability, I clean all IKE+IPSEC via 'vpn tu' every week.

 
 

 

 

 

 

 

 

 

0 Kudos