This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
raquinog
Participant
‎2020-09-20 03:51 PM

Issue with IPSec VPN on VSX Checkpoint (doesn't renegotiate)

In the VSX Firewall (R80.20) I have configured two communities of IPSec VPN (star type) that I establish with remote branches in Cisco Routers (It use dynamic IP). The Central Gateway is the Checkpoint and the satellites are the branch office routers.

The problem I am presenting is that when the IPSec tunnel goes down, the tunnel is not restored again (automatically). The Work Around I execute is to generate a PING from the Checkpoint to the dynamic public IP of the remote branch.

I only present this behavior with a VPN community where I have branches with an Internet provider called Total Play here in Mexico.
The IPSec VPN tunnels from the other VPN community are with a different Internet provider and I have no problems with those.

I executed a tcpdump and Zdebug on the Checkpoint Firewall, and I see that if the communication arrives but the Checkpoint does not respond.

[Expert@FW02:X]# tcpdump -nni any host 187.188.90.YY (This is IP Remote)
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
11:49:13.375725 IP 187.188.90.YY.500 > 187.174.134.xx.500: isakmp: phase 1 I ident
11:49:23.376030 IP 187.188.90.YY.500 > 187.174.134.xx.500: isakmp: phase 1 I ident

[Expert@FW02:X]# fw ctl zdebug + drop | grep 187.188.90.YY
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip=0.0.1.125 from 9142;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_src_dst_dynobj: network_classifier_handle_dag() failed for ip: 187.188.90.YY;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_dynobjs: network_classifier_handle_src_dst_dynobj() failed;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifiers_match_cb_handle_first_packet_ctx: network_classifier_handle_dynobjs failed;

Any idea why I present this problem with the tunnels of this VPN community? since with the other I have no problems.
As mentioned I have to ping the remote public IP to reset the VPN tunnel.

0 Kudos
1 Reply
_Val_
Admin
Admin
‎2020-09-22 11:59 PM

use vpn debug to see what's wrong. It seems cisco side does not reply at all

 

0 Kudos