This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sangeeth_N
Contributor
‎2019-08-22 09:48 PM
Jump to solution

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Hi

 

I am trying to establish a VPN with an interoperable device[Sophos]. As checked, all the VPN parameters are matching. 

The VPN itself is not getting established and I am able to find the below mentioned log in SmartLog :

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx; Cookies: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Any idea regarding why this issue  occurred.

 

 

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2019-08-26 04:28 AM
In response to Sangeeth_N
Jump to solution

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-10-20 12:34 PM
In response to Matlu
Jump to solution

All that means is that you sent an encrypted packet to your peer with an SPI it did not recognize because the tunnel associated with that particular SPI no longer exists on the peer end.  In response the peer sends your firewall a "Delete SA" telling your firewall to delete it on that end.  So the particular tunnel you tried to send to with a nonexistent SPI is "down", yes.  But when some interesting traffic arrives on either end the tunnel should come back up, unless the tunnel can only be initiated in one direction.  However Delete SAs don't really work right in an interoperable scenario, so your firewall's SmartView Monitor will show a VPN tunnel as "up" even though the peer thinks it is down.

Any time you set up a new VPN you need to ensure that either peer can successfully initiate a working tunnel from scratch.  Due to a subnets/Proxy-ID mismatch it is all too common that the VPN can only be successfully initialized in one direction.  So if the interesting traffic arrives at the side that is unable to initiate a working tunnel, the VPN will be down until the other side receives some interesting traffic and tries to bring it up from that end.  Once a tunnel is up and working it generally does not matter which side initiated it, the tunnel will be 2-way for purposes of passing traffic.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
9 Replies
Marco_Valenti
Advisor
‎2019-08-23 12:07 AM
Jump to solution

you should be able to find the causing issue with vpn debug ikeon (turn it off with vpn debug ikeoff) and the opening relevant file (ike.elg) with checkpoint ikeview and see if there are any kind of problem regarding phase 2

0 Kudos
Sangeeth_N
Contributor
‎2019-08-23 12:32 AM
In response to Marco_Valenti
Jump to solution

Hi  @Marco_Valenti 

 

I am only able to find phase1 info,  as below :

 
 
 
0 Kudos
Sangeeth_N
Contributor
‎2019-08-23 12:35 AM
In response to Marco_Valenti
Jump to solution

ike.JPG

 

 

 

 

 

 

I am only able to find phase1 info. Couldn't find any phase2 related info from ike.elg file 

0 Kudos
Marco_Valenti
Advisor
‎2019-08-23 12:41 AM
In response to Sangeeth_N
Jump to solution

Try to generate some traffic if you can' t have a phase 2 established check the encryption domain for both gateway involved and vpn community , verify there are no nat rule that match this kind of traffic if there are no need for nat

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-23 07:31 AM
In response to Sangeeth_N
Jump to solution

Please click the "+" sign next to "P1" and post another screenshot so we can see how far you are getting in Phase 1.  If Phase 1 is completely succeeding but is immediately followed by a "Delete SA" notification, check the Phase 1 and Phase 2 SA Lifetime timers and make sure they match exactly on both sides.  Note that the Phase 1 timer is expressed in minutes on the Check Point and the Phase 2 timer is expressed in seconds, while most other vendors express both values in seconds.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Sangeeth_N
Contributor
‎2019-08-25 11:21 PM
In response to Timothy_Hall
Jump to solution

Hi @Timothy_Hall 

Please find the screenshot as below :

ike.JPG

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-26 04:28 AM
In response to Sangeeth_N
Jump to solution

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Matlu
Advisor
‎2023-10-19 05:45 PM
In response to Timothy_Hall
Jump to solution

Hello, @Timothy_Hall 

One question, please.

This type of logs that you can see in the SmartConsole, is an "evidence" that this VPN is "down"?

VPN1.png

The strange thing is that when I go to the DashBoard of "Tunnel & User Monitoring", I see this VPN up, as if it was working fine.

Cheers. 🙂

Preview file
1 KB
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-10-20 12:34 PM
In response to Matlu
Jump to solution

All that means is that you sent an encrypted packet to your peer with an SPI it did not recognize because the tunnel associated with that particular SPI no longer exists on the peer end.  In response the peer sends your firewall a "Delete SA" telling your firewall to delete it on that end.  So the particular tunnel you tried to send to with a nonexistent SPI is "down", yes.  But when some interesting traffic arrives on either end the tunnel should come back up, unless the tunnel can only be initiated in one direction.  However Delete SAs don't really work right in an interoperable scenario, so your firewall's SmartView Monitor will show a VPN tunnel as "up" even though the peer thinks it is down.

Any time you set up a new VPN you need to ensure that either peer can successfully initiate a working tunnel from scratch.  Due to a subnets/Proxy-ID mismatch it is all too common that the VPN can only be successfully initialized in one direction.  So if the interesting traffic arrives at the side that is unable to initiate a working tunnel, the VPN will be down until the other side receives some interesting traffic and tries to bring it up from that end.  Once a tunnel is up and working it generally does not matter which side initiated it, the tunnel will be 2-way for purposes of passing traffic.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events