This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
geza
Explorer
‎2023-06-27 12:43 AM

VPN Site to Site down

Hi there to you all,

 

I face a rather annoying situation.

Our client has bought several SMB Appliances for protection and safe routing through VPN Site to Site communication.

We implemented a Star network topology with those appliances.

The star is on our private cloud (it is on a vm) and the satellites are centrally managed through Smart-1 Cloud.

Well, everything was good till yesterday when the VPN tunnel could not be established, the negotiation fails on Main Mode packet 5-6 with "INVALID-COOKIE".

Also, follow sk126092, it did not work for us.

The appliances were a cluster of two 1600 SMBs.

The weird thing is that inside the Smart-1 cloud says that it has "issues": "IPSec VPN blade is about to expire Jun 26, 2023 (Evaluation)" when on the appliance itself everything seems ok: "IPSec, expiration Never, Service CPSB-VPN"

I suspect that this is a glitch on Smart-1 Cloud because when I check "Licenses" in the tab below for each member of the cluster, it says that "127.0.0.1 Never 00-1C-... CPAP-AP1600 CPSG-C-12-U CPSB-FW CPSB-VPN CPSB-IA CPSB-SSLVPN-500 CPSB-ADNC CPSB-ADNC-M..."

Any ideas?

 

Update: we are in the third "phase" of ecalation but with no result so far.

It seems that licensing "problems" is just "cosmetics" and nothing has to do with the real problem that causes the IKE rejection.

We have already renew our certificates to no avail,

we created brand new certificates and installed them also to no avail.

 

Please, we need your ideas!!! 

Help!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-06-29 06:37 AM

What firmware release is being used here?
Also, have you attempted any debugging steps here? https://support.checkpoint.com/results/sk/sk62482 

0 Kudos
geza
Explorer
‎2023-06-29 08:47 AM
In response to PhoneBoy

Hi there PhoneBoy,

 

The current firmware version is R81.10 (996000575)
followed the steps on the sk, I had a session with a Checkpoint Engineer (3rd escalation) but to no avail 

Thank you for your effort anyway,

I would appreciate any other ideas!

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-29 11:17 AM
In response to geza

Do you have the exact set of symptoms in sk126062?
Otherwise, those remediation steps won't work and deeper debugs will be required.
Did you actually take the debugs as specified in sk62482 and provide these to TAC?

0 Kudos
geza
Explorer
‎2023-06-29 02:01 PM
In response to PhoneBoy

Yes and yes.

Thanks again for your effort!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events