Create a Post
Showing results for 
Search instead for 
Did you mean: 

No data on receiving end in site-to-site VPN

I’m migrating the firewall in one of my networks from an ASA to a Checkpoint 6400 running R81.10 (HFA 78 is installed) and used SmartMove to migrate the config. 

Internally, everything works great, but I’m running into an issue with the VPN connection to one of my other sites. 

I have a star community configured and the other site is a 4800 running R77.30 that I do not control. I’m seeing an SA establish and then a number of child SAs form, but the other site does not see any traffic coming out of the tunnel. I also do not see any data traffic coming from them. 

I see the expected traffic in the logs showing up as action:encrypt, so I feel pretty certain that I’m sending the right traffic into the tunnel. In monitoring outbound traffic at my border router, I only see UDP 500 traffic headed to the other gateway’s address, so that also looks to my like traffic is correctly entering the tunnel. 

The only change the other site made was changing the gateway object to a Checkpoint device. I’m out of ideas here for possible problems or troubleshooting tools. Any thoughts on what else could cause this? 

0 Kudos
1 Reply

Few questions...

How did you configure other side of the tunnel (the 4800) object? As interoperable or externally managed CP object?

Does phase 1 show as up or no via vpn tu or sv monitor?

Any change if you reset VPn tunnel?

Do you see anything if running tcpdump -nni any host (or whatever other side external IP is) and proto 50

so say other side is, run tcpdump -nni any host and proto 50

Have you tried running simple vpn debug and reviewing vpnd.elg and ike.elg files

vpn debug trunc

vpn debug ikeon

try generate some traffic

vpn debug ikeoff

get ike.elg and vpnd.elg files from $fWDIR/log

Ping me privately, happy to do remote and help you.

0 Kudos