Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
faheb1
Explorer

VPN traffic getting blocked

HI
Im getting this problem,

Source: Print Server(172.20.15.52)

Dest: Printer(192.168.15.210)

Src and Dst are under a Site to site VPN.

I have checked the logs. I have attached the logs. What might be the issue ?

there are other log which seeems to be allowed check 4.log image

 

Firewall: Checkpoint SMB Appliance 910
Firemware: R77.30
0 Kudos
9 Replies
Piet_vd_Maas
Contributor

2.logs.png shows an IKE failure. 

Is other traffic working trough that VPN tunnel?

0 Kudos
faheb1
Explorer

I have seen one log that icmp/ping is working. but cant find the log now.

Besides, Log4 image shows that some traffic is flowing. however, majority is getting block for that destination. What should i check ? recently the PeerGateway ip was changed. after that we are having this problem.  My client tried traceroute from his ip

Source: 172.20.15.76

Fw LAN : 192.168.50.54 (Form Core Switch)

C:\Users\scanpp>tracert 192.168.15.210

Tracing route to 192.168.15.210 over a maximum of 30 hops

1 1 ms 2 ms 1 ms 172.20.15.1
2 <1 ms * * 172.20.15.2 (Core Switch)
3 <1 ms <1 ms <1 ms 192.168.50.54 --- FW
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12

0 Kudos
faheb1
Explorer

[Expert@ScanConnectFW02]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

4

Enter IP of peer (format: xxx.xxx.xxx.xxx): A.A.A.A

Peer A.A.A.A SAs:

1. SPI's related to IKE SA <20012e163a402797,684343b0201ad46e>:

2. SPI's related to IKE SA <24e22e54dfdc23ea,74aa4a4a736e535f>:

3. SPI's related to IKE SA <d27a77ee1af9ceda,73239d6b0a6514c3>:

4. SPI's related to IKE SA <72b61a621efe15d6,26f908e01a73194f>:

 

Hit <Enter> key to continue ...

0 Kudos
AndréTinoco
Contributor

Phase2 doesn't seem to be completed. Can you check logs between the two public addresses (of the vpn peers) to see the VPN negotiation?

Confirm the P2 configuration on both sides and confirm the networks are also the same on both sides. Also confirm you have security rules on your side for that traffic.

0 Kudos
Piet_vd_Maas
Contributor

Is your issue solved?

0 Kudos
faheb1
Explorer

I have used Ikeview and found that Phase-1(P1 Main mode) ok but Phase2 QM Packet-1 has errors. I have asked the remote Gateway admin to share the config. Need to cross check if there are any changes in their side config.

Can someone tell me Why Egress traffic are failing but Ingress traffic is getting in ??

 

0 Kudos
the_rock
Champion
Champion

Phase 2 is in my experience always an issue with vpn domains not being presented properly or supernatting. Make sure that remote gateway interoperable object is set with right encryption domain.

0 Kudos
Piet_vd_Maas
Contributor

Sounds like a routing issue indeed. @faheb1 you also mentioned the issues started after a IP change of the peer gateway. 

faheb1
Explorer

Hi

Checked the routing. Found a problem . It seems like a typo. I have fixed it. Need to check it tomorrow by client. VPN shows up. I will let you know the result.

0 Kudos