This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fabian_Maldonad
Explorer
‎2021-03-24 06:28 AM

Internet Traffic from VPN being blocked

Hello forum! 

Hoping to get some fresh eyes on an issue im am dealing with currently.

I have a firewall in Azure connected back to us (HQ) over ipsec VPN. Virtual machines can communicate with HQ with no issues, however, they cannot get to the internet. I see in the logs the traffic is being dropped by my FW. Here is the exact error i am receiving:

Id: c0a801c9-1611-7109-605b-3a433ba90001
Marker: @A@@B@1616558409@C@2612367
Log Server Origin: x.x.x.x
Time: 2021-03-24T13:10:27Z
Interface Direction: inbound
Interface Name: eth1-02
Id Generated By Indexer:false
First: true
Sequencenum: 179
Log ID: 404821
Source: 10.0.100.5
Source Port: 50529
Destination: 20.60.132.4
Destination Port: 443
IP Protocol: 6
Scheme: IKE
Methods: ESP: AES-128 + SHA1 + PFS (group 14)
VPN Peer Gateway: x.x.x.x
Encryption Failure: According to the policy the packet should not have been decrypted
VPN Feature: VPN
Action: Drop
Type: Connection
Policy Name: HB-Custom-Policy
Policy Management: cpman
Db Tag: {3138C08A-7834-2645-8B4F-36751CECDF37}
Policy Date: 2021-03-18T19:00:14Z
Blade: VPN
Origin: HBFW1
Service: TCP/443
Product Family: Access
Logid: 1
File Size: 0
Interface: eth1-02
Description:

 

The 10.0.100.5 is the VM that is trying to access windows updates 20.60.132.4 in the log details above.

  • I have the subnet 10.0.100.0 in the route table pointing to our gateway
  • I have a network object for 10.0.100.0/23 in the internet allowed out policy 
  • I can ping from 10.0.100.5 our GW 

Any direction here would be much appreciated.

 

0 Kudos
3 Replies
KennyManrique
Advisor
‎2021-03-25 10:04 AM

Hi Fabian.

Which routing configuration you're using for the VPN Community? 

The message According to the policy the packet should not have been decrypted indicates that the source machines are trying to reach an encryption domain that is not exchanged by the two gateways. You should configure routing in the community or manually add 20.60.132.4 to your encryption domain exchanged between both devices.

 

0 Kudos
Vladimir
Champion
Champion
‎2021-03-25 02:28 PM

First, test connectivity from Azure CP GW to the Internet (ping www.yahoo.com or curl_cli -k https://www.google.com)

Then check if you are preventing NAT between your Azure hosts and on-premises.

THen check if you are NATing your hosts to "Hide behind Gateway's IP" on their way to the Internet and enable that if it is not done yet.

the_rock
Legend
Legend
‎2021-03-25 04:30 PM

Vladimir is correct...that type of error may indicate nat issues, but it also could be related to vpn domain as well. Could you do ike debug when trying this, as that would show you exactly where its failing, phase 1 or 2 and what packet exactly.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events