This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raydar
Explorer
‎2024-02-17 05:23 AM

Checkpoint Site to Site VPN, Tunnel is UP but no traffic after upgrade

Good Morning Dear Community,

I hope this message finds you well.

I'm reaching out to seek assistance with a problem we've encountered after upgrading our Checkpoint appliances from version R81 to R82.20. We have a Site-to-Site VPN configured between two clusters as follows:

Site1:

  • Virtual IP (VIP): 10.7.1.1
  • Nodes: 10.7.1.2 and 10.7.1.3

Site2:

  • Virtual IP (VIP): 10.1.4.1
  • Nodes: 10.1.4.2 and 10.1.4.3

The upgrade process completed successfully on both nodes at Site1. However, post-upgrade, we're experiencing an issue where the VPN is up (IKE phase, IPSec SA, etc.), but traffic is not reaching from Site2 to Site1 and vice versa, specifically to one node.

After the upgrade, node 10.7.1.3 is no longer reachable from Site2, and it cannot reach Site2, while the other node is functioning properly. The cluster is active/standby without any problems.

We're considering factory resetting the problematic node. Has anyone encountered a similar issue?

We've consulted an SK, which suggests that this could be related to having another network device with the same IP as the problematic one. However, in our case, we only have one host object (not a gateway) with the same IP. We don't believe this could be causing such an issue, as everything was functioning properly before the upgrade.

Your insights and experiences would be greatly appreciated.

Thank you for your assistance.

 

 

0 Kudos
4 Replies
AmirArama
Employee
Employee
‎2024-02-18 03:21 AM

Hi,

is the unreachable node always the standby member ? or it's also the case if it becomes the active?

can you take 'fw monitor' and 'fw ctl zdebug + drop' on both cluster members of SITE1, and also on SITE2 active member, while you attempt to reach it and attach the outputs here ? (note which is which, the ip involved, protocol used (such as icmp)

Thanks

fw monitor -F "0,0,10.7.1.3,0,0" -F "10.7.1.3,0,0,0,0"

fw ctl zdebug + drop | grep 10.7.1.3

(break with ctrl+C . and also reset debug with 'fw ctl debug 0')

i will also put that as a reference that might be related

https://support.checkpoint.com/results/sk/sk169154

(3.4) Connections from / to a Standby cluster member

 

Raydar
Explorer
‎2024-02-18 12:15 PM
In response to AmirArama

Good Evening Amir.

Yes, the problem persists if the standby node (that is the node that has the problem) becomes active and vice versa.

I'll try the commands and I will let you know.

0 Kudos
the_rock
Legend
Legend
‎2024-02-18 02:53 PM
In response to Raydar

You can also turn on vpn debug and let it run for few days

Andy

vpn debug trunc

vpn degun ikeon

To turn off, vpn debug ikeoff

0 Kudos
the_rock
Legend
Legend
‎2024-02-18 04:59 AM

Great commands by @AmirArama . If you can run those and update, would be super helpful.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events