- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
In the VSX Firewall (R80.20) I have configured two communities of IPSec VPN (star type) that I establish with remote branches in Cisco Routers (It use dynamic IP). The Central Gateway is the Checkpoint and the satellites are the branch office routers.
The problem I am presenting is that when the IPSec tunnel goes down, the tunnel is not restored again (automatically). The Work Around I execute is to generate a PING from the Checkpoint to the dynamic public IP of the remote branch.
I only present this behavior with a VPN community where I have branches with an Internet provider called Total Play here in Mexico.
The IPSec VPN tunnels from the other VPN community are with a different Internet provider and I have no problems with those.
I executed a tcpdump and Zdebug on the Checkpoint Firewall, and I see that if the communication arrives but the Checkpoint does not respond.
[Expert@FW02:X]# tcpdump -nni any host 187.188.90.YY (This is IP Remote)
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
11:49:13.375725 IP 187.188.90.YY.500 > 187.174.134.xx.500: isakmp: phase 1 I ident
11:49:23.376030 IP 187.188.90.YY.500 > 187.174.134.xx.500: isakmp: phase 1 I ident
[Expert@FW02:X]# fw ctl zdebug + drop | grep 187.188.90.YY
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip=0.0.1.125 from 9142;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_src_dst_dynobj: network_classifier_handle_dag() failed for ip: 187.188.90.YY;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_dynobjs: network_classifier_handle_src_dst_dynobj() failed;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifiers_match_cb_handle_first_packet_ctx: network_classifier_handle_dynobjs failed;
Any idea why I present this problem with the tunnels of this VPN community? since with the other I have no problems.
As mentioned I have to ping the remote public IP to reset the VPN tunnel.
use vpn debug to see what's wrong. It seems cisco side does not reply at all
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY