Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Anandsekar
Explorer

Ipsec tunnel down phase 2 after upgrading to r81.20 take 41

Ipsec tunnel down phase 2 after upgrading to r81.20 take 41 and ipsec tunnel is unstable

0 Kudos
7 Replies
Lesley
Leader Leader
Leader

More info?

- what verion you came from

- what you see in logs

- cp to cp or cp to vendor

- both sides unstable

- global encryption domain or per community

etc

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Anandsekar
Explorer

- what verion you came from -- R81.10 JHF Take 79 to R81.20 Take 41

- what you see in logs - Checkmate.PNG

- cp to cp or cp to vendor -- Checkpoint to checkpoint LSM security gateways.

- both sides unstable - yes

- global encryption domain or per community - on all tunnel in the community

0 Kudos
the_rock
Legend
Legend

Ike failure usually means phase 1 is down, not phase 2. Can you run vpn tu and check what it shows when you filter for that specific tunnel?

Or try below options.

Andy

 

vpn tu list ike
vpn tu list ipsec
vpn tu list peer_ike ip-addr
vpn tu list peer_ipsec ip-addr
vpn tu list tunnels
vpn tu tlist
vpn tu mstats
vpn tu del ipsec all
vpn tu del ipsec ip-addr
vpn tu del ipsec ip-addr username
vpn tu del ipsec ip-addr from ip-addr to ip-addr
vpn tu del all
vpn tu del ip-addr
vpn tu del ip-addr username
vpn tu del ip-addr from ip-addr to ip-addr
vpn tu conn

0 Kudos
Anandsekar
Explorer

- what verion you came from : - R81.10 Take 79 to R81.20 Take 41

- what you see in logs : -Checkmate.PNG

- cp to cp or cp to vendor : CP to CP those are LSM security  gateways management by smart provisioning

- both sides unstable : yes

- global encryption domain or per community : -checkmate2.PNG

0 Kudos
Lesley
Leader Leader
Leader

Hmmm unclear error. Maybe VPN debug could give more info.

https://support.checkpoint.com/results/sk/sk180488

In the mean time maybe you can check the basics. This will be as I assume certificate based tunnel.

So maybe check if the CRL check is working:

https://support.checkpoint.com/results/sk/sk108632

https://support.checkpoint.com/results/sk/sk32648

Also check if the VPN certificates are still valid:

https://support.checkpoint.com/results/sk/sk178304

This is not a Gaia embedded gateway right?

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
JP_Rex
Collaborator
Collaborator

Hello,
what LSM Gateways do you use and what Version are they running on?

Is there a Log Entry from an LSM GW?

 

Regards

Peter

0 Kudos
Anandsekar
Explorer

what LSM Gateways do you use and what Version are they running on? : 1100 & 1430 Appliance and which are running on R77.20.87 (990173004).

Is there a Log Entry from an LSM GW? :No

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events