This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckPointerXL
Advisor
Advisor
Sunday

CloudGuard AWS HA to third party - VPN Tunnel Instability? BGP/ICMP traffic

 

Hi all,

i'm facing some weird issue with a AWS cluster VPN to third party gateways.

At random times, also after 2 or 3 days, tunnel stucks and reset is needed.

From the capture i see that traffic is correctly encapsulated/decapsulated.

The cluster has external private ip of course.

 

Now i'm going to describe difference between working and not working tunnels:

WORKING TUNNEL

                    - tcpdump it shows packet sent/received on port 4500

                    - fw monitor it shows correctly bgp sent/received and echo request/reply received

NOT WORKING TUNNEL

                    - tcpdump it show that check point peer sent packet on 4500, remote peer answer with ESP packet (not encapsulated)

2025-02-23 211351.png

                    - fw monitor does not show reply when pinging ptp (it doesn't work), and bgp traffic sent it as id=0:

[vs_0][fw_2] vpnt29:O[44]: 192.168.14.1 -> 192.168.14.2 (TCP) len=52 id=0
TCP: 179 -> 60813 .S..A. seq=c8049c10 ack=7a7186a1

                     on working tunnels id=XXX is incremental

 

SO, the strange part is that VPN seems to be good (Phase1/2 UP and traffic is encrypted/decrypted), but BGP is down and i cannot ping the remote VTI.

vpn tu del it fix the issue

environment is r81.20 T98

Action taken:

Enabled offer_nat_t_initator, enabled dpd responder

any idea? 

 

 

Labels
0 Kudos
1 Reply
Jon_C
Explorer
yesterday

The obvious question always is if the tunnels were working fine before, what's changed? Patched recently?

Does tunnels have issues after pushing policy?  (Global properties>AdvancedConfiguration>VPN Advanced Properties> VPN IKE properties> Turn on keep_IKE_SAs

For the VPN tunnel sharing are they configured for per subnet pair or per gateway pair.

With that said I would suggest contacting TAC if it's an option.

But regardless you should run a vpn debug before the issue presents itself, so that you can review the logs yourself and also be able to provide the information to TAC.

 

 

Best Practice - Run this command to start the VPN debug:

vpn debug trunc ALL=5

Best Practice - Run one of these commands to stop the VPN daemon debug:

vpn debug off

vpn debug truncoff

 

Run this command to see what file it logs to

run "vpn iked calc <peer IP>" on the relevant gateway

Example: vpn iked calc X.X.X.X (ExternalIP of Remote gateway)
vpn: Address X.X.X.X is handled by IKED 2

 

Files you can review and give to TAC

# $FWDIR/log/iked*
# $FWDIR/log/vpnd*

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events