This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JohnW1
Explorer
‎2022-10-27 09:21 AM

No data on receiving end in site-to-site VPN

I’m migrating the firewall in one of my networks from an ASA to a Checkpoint 6400 running R81.10 (HFA 78 is installed) and used SmartMove to migrate the config. 

Internally, everything works great, but I’m running into an issue with the VPN connection to one of my other sites. 

I have a star community configured and the other site is a 4800 running R77.30 that I do not control. I’m seeing an SA establish and then a number of child SAs form, but the other site does not see any traffic coming out of the tunnel. I also do not see any data traffic coming from them. 

I see the expected traffic in the logs showing up as action:encrypt, so I feel pretty certain that I’m sending the right traffic into the tunnel. In monitoring outbound traffic at my border router, I only see UDP 500 traffic headed to the other gateway’s address, so that also looks to my like traffic is correctly entering the tunnel. 

The only change the other site made was changing the gateway object to a Checkpoint device. I’m out of ideas here for possible problems or troubleshooting tools. Any thoughts on what else could cause this? 

0 Kudos
1 Reply
the_rock
Legend
Legend
‎2022-10-27 12:19 PM

Few questions...

How did you configure other side of the tunnel (the 4800) object? As interoperable or externally managed CP object?

Does phase 1 show as up or no via vpn tu or sv monitor?

Any change if you reset VPn tunnel?

Do you see anything if running tcpdump -nni any host 1.2.3.4 (or whatever other side external IP is) and proto 50

so say other side is 20.30.40.50, run tcpdump -nni any host 20.30.40.50 and proto 50

Have you tried running simple vpn debug and reviewing vpnd.elg and ike.elg files

vpn debug trunc

vpn debug ikeon

try generate some traffic

vpn debug ikeoff

get ike.elg and vpnd.elg files from $fWDIR/log

Ping me privately, happy to do remote and help you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events