Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrew
Participant
Jump to solution

Strange behaviour after R80.20 upgrade

Hi,

After completing in-place upgrading our ClusterXL pair from R80.10 to R80.20 we are now experiencing some VPN traffic issues.

We have 14 VPN tunnels between Cisco 887 routers (all in the same community) and they were all working perfectly prior to the upgrade.

After the upgrade we are seeing the following 2 scenarios:

Issue 1: GRE Tunnels stop working when a policy is installed. (Similar to issue 2)

Configuration:

[GRE Router] – [FW CLUSTER] ------- vpn ------- [Cisco 887] --- [Cisco switch]

             |___________________  GRE Tunnel   ___________________|

 

When a policy is installed the sites that utilize a GRE across the VPN’s stop working. They will start working again after a variable time ranging from several minutes/hours.

I can get them working immediately again by failing the cluster to the standby member. I can then fail back and everything keeps working.

While it is experiencing the Issue:

- SSH through the VPN works to the Cisco 887 devices. 

- Pings work to the Cisco switch interface.

- Other traffic does not get to the Cisco Switch interface. The Cisco switch interface is the GRE tunnel end point so GRE tunnel drops.

 

Issue 2: VPN Sites with only a Cisco 887

Configuration:

[FW CLUSTER] ------- vpn ------- [Cisco 887] – [Devices e.g. UPS, Cardax]

All VPN links are stating they are up and ping traffic works to all devices. Several sites (not all) are having the below issues where traffic does not work.

- SSH and telnet to the Cisco 887 across the VPN does not work.

- Telnet SSH and HTTP does not work to the UPS connected to the Cisco 887.

- Ping is successful across the VPN to the Cisco 887 and the UPS.

- Disabling SecureXL – all the above traffic works

- Enabling SecureXL – New connections stop working. Existing sessions (e.g. SSH) continue to work.

The following will usually resolve the issue:

- selecting ‘vpn tu’ - Option 7 – Delete all IPsec+IKE SAs for a given peer (GW)

Sometimes the above doesn't work and it may work by selecting option 5 after doing option 7

 

I have just logged a case with checkpoint.

If anyone has any ideas or has seen this before I'd appreciate any assistance as I'm not sure what to do next? 

Also:

Rebooting the Cisco 887 does not resolve the issue.

Both firewalls in the cluster have been rebooted (they were done separately – I have not rebooted both at the same time)

 

0 Kudos
1 Solution

Accepted Solutions
Andrew
Participant
0 Kudos
4 Replies
Andrew
Participant
0 Kudos
andy_currigan
Contributor

HI Andrew,

After upgrading to r80.20 I experience Issue 1: GRE Tunnels stop working when a policy is installed.

Did you find a solution?

thanks.

andy

0 Kudos
andy_currigan
Contributor
forgot to mention that vpn in our case is not ended on our checkpoint so the sk you mention in our case can't be the solution

https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk148872
0 Kudos
Andrew
Participant

Hi Andy,

SK148872 resolved our issue.

Checkpoint support worked through our issue to get to the resolution.

 

Good luck.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events