This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Cimpeanu
Collaborator
‎2024-02-13 06:16 PM
Jump to solution

One-way IPSec tunnel between 4800 cluster and Quantum Spark 1575

Hi,

I'm struggling to get a VPN tunnel properly up and running; one appliance (4800 cluster) is running on R77.30, the second is a Quantum Spark 1575 on R81.10. 

IPSec from Spark appliance towards networks behind the 4800 cluster works, but not the other way around. SIC is established, VPN certificates are renewed. I see both IKE SA and SPI's on the 4800 for the Spark appliance, yet traffic still doesn't go through.

Key install log entry gives me "Informational Exchange Sent Delete IPSEC-SA to Peer:x.x.x.x"

 

I'm completely out of ideas in regards to troubleshooting. Both being Checkpoint gateways in the same VPN community, i would expect mismatch in IPSec parameters to not be an issue.

 

Any advice on how to proceed with troubleshooting? 

 

Thanks,

Daniel

 

 

0 Kudos
1 Solution

Accepted Solutions
AmirArama
Employee
Employee
‎2024-02-18 07:04 AM
Jump to solution

if VPN tunnels are UP, (vpn tu/ vpn tu tlist) but traffic is not flow to the other side:

run traffic capture on both sides.

'fw monitor' to see the actual lan to lan traffic on the initiator side. verify that traffic was encrypted through the tunnel ('vpn tu conn - - - - -' ), and if seems ok, check it also on the receiver side.

run: 'tcpdump'/'cppcap' on the esp or nat-t packets (in case nat device in the middle).

make sure esp/nat-t packets are sent out from the initiator side GW from the correct interfaces. then look if those packets received on the receiver side GW, if not, something probably dropped it in the middle. if it received in the other side, check if it isn't blocked by 'fw ctl zdebug + drop' (break with ctrl+C + reset debug with 'fw ctl debug 0')

if for any reason traffic is not encrypted for example on the initiator side, and it's not dropped. run VPN kernel debug / open TAC.

p.s not sure if all those commands was there in R77.30, as it's very old version.

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-02-14 04:14 AM
Jump to solution

The 4800 appliance is out of support since Jun-2022 and R77.30 since September 2019 - do you still have a valid support contract ?

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Daniel_Cimpeanu
Collaborator
‎2024-02-16 03:42 AM
In response to G_W_Albrecht
Jump to solution

Hi,

Indeed, support is expired. Issue seems to have been on the routers/switches in front of the Spark Cluster, I'm still not yet up and running with the cluster as expected, currently using a single appliance - but services are good for now.

It seems I have focused too much on finding an issue on the appliances themselves instead of challenging the other network devices that I've been told to be properly configured - lesson learned, assumption is the mother of f*ckups 😕 

0 Kudos
AmirArama
Employee
Employee
‎2024-02-18 07:04 AM
Jump to solution

if VPN tunnels are UP, (vpn tu/ vpn tu tlist) but traffic is not flow to the other side:

run traffic capture on both sides.

'fw monitor' to see the actual lan to lan traffic on the initiator side. verify that traffic was encrypted through the tunnel ('vpn tu conn - - - - -' ), and if seems ok, check it also on the receiver side.

run: 'tcpdump'/'cppcap' on the esp or nat-t packets (in case nat device in the middle).

make sure esp/nat-t packets are sent out from the initiator side GW from the correct interfaces. then look if those packets received on the receiver side GW, if not, something probably dropped it in the middle. if it received in the other side, check if it isn't blocked by 'fw ctl zdebug + drop' (break with ctrl+C + reset debug with 'fw ctl debug 0')

if for any reason traffic is not encrypted for example on the initiator side, and it's not dropped. run VPN kernel debug / open TAC.

p.s not sure if all those commands was there in R77.30, as it's very old version.

Daniel_Cimpeanu
Collaborator
‎2024-02-20 01:58 PM
In response to AmirArama
Jump to solution

Hi @AmirArama ,

Thanks a lot for the info, I will for sure be using this for similar cases in the future.

/Daniel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events