This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rozkie20
Contributor
4 weeks ago
Jump to solution

VPN site to site fwconn_key_init_links (OUTBOUND) failed

 

Hello everyone,

We are currently migrating a Site-to-Site VPN between two Check Point 1555 gateways from locally managed mode to centrally managed mode via SmartConsole (SMS).

Site details:

Branch Gateway (CP-1555)

  • Public IP: 192.168.168.201 (connected to SMS via public IP)

  • Encryption Domain: 10.17.36.0/24

Head Office Gateway (CP-1555)

  • Public IP: 192.168.168.156

  • Interface connected to SMS: 10.17.30.6

  • Encryption Domain: 10.17.31.0/24, 10.17.34.0/24, 10.17.38.0/24, 10.17.4.0/24, ...

After configuring the VPN Community and Encryption Domains, we are unable to establish the VPN tunnel. The following log appears in fw ctl zdebug drop:

@;510065576;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 192.168.168.156:500 -> 192.168.168.201:500 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

In SmartView Monitor, the VPN tunnel mostly shows as Down, though occasionally it briefly appears as Up.

We noticed that the Branch Gateway is attempting to connect to the Head Office gateway via the private interface (10.17.30.6) instead of the public IP (192.168.168.156).

Since this is a migration, I suspect there might be a conflict between the previous locally managed VPN configuration and the new centrally managed setup. I have collected advanced VPN debug logs, but I am not sure how to interpret them.

Has anyone faced a similar issue or can share experience with analyzing these debug logs?
Any guidance would be greatly appreciated.

BR,

Tin Tran

0 Kudos
1 Solution

Accepted Solutions
rozkie20
Contributor
3 weeks ago
In response to AkosBakos
Jump to solution

Opened case with TAC. Because we use one Public IP for management and VPN so it conflict when remote gateway try to negotia VPN with SMS so we have try to use another Public IP so this issue was fixed

View solution in original post

0 Kudos
4 Replies
AkosBakos
MVP Silver
MVP Silver
4 weeks ago
Jump to solution

Hi,

Have you check this sk?

https://support.checkpoint.com/results/sk/sk106682

Because of the local > central migration, the Global Properties differ. But before you change anything in the Global Properties, consider the impact of the change.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
rozkie20
Contributor
4 weeks ago
In response to AkosBakos
Jump to solution

Hi Akos,

This feature already enable on R82 Screenshot_1.png

0 Kudos
rozkie20
Contributor
3 weeks ago
In response to AkosBakos
Jump to solution

Opened case with TAC. Because we use one Public IP for management and VPN so it conflict when remote gateway try to negotia VPN with SMS so we have try to use another Public IP so this issue was fixed

0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
Jump to solution

Hey there,

Are you able to check if it fails on phase 1 or 2? Because on phase 1, it would be more related to most likely enc settings/PSK, but if its phase 2, then usually its something with VPN enc. domains. Just run vpn tu and check there or one of below:

vpn tu list ike
vpn tu list ipsec
vpn tu list peer_ike ip-addr
vpn tu list peer_ipsec ip-addr
vpn tu list tunnels
vpn tu tlist
vpn tu mstats
vpn tu del ipsec all
vpn tu del ipsec ip-addr
vpn tu del ipsec ip-addr username
vpn tu del ipsec ip-addr from ip-addr to ip-addr
vpn tu del all
vpn tu del ip-addr
vpn tu del ip-addr username
vpn tu del ip-addr from ip-addr to ip-addr
vpn tu conn

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events