It's Here!
CPX 360 2021 Content
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Forrester Study Finds
CloudGuard Generates 169% ROI
In the VSX Firewall (R80.20) I have configured two communities of IPSec VPN (star type) that I establish with remote branches in Cisco Routers (It use dynamic IP). The Central Gateway is the Checkpoint and the satellites are the branch office routers.
The problem I am presenting is that when the IPSec tunnel goes down, the tunnel is not restored again (automatically). The Work Around I execute is to generate a PING from the Checkpoint to the dynamic public IP of the remote branch.
I only present this behavior with a VPN community where I have branches with an Internet provider called Total Play here in Mexico.
The IPSec VPN tunnels from the other VPN community are with a different Internet provider and I have no problems with those.
I executed a tcpdump and Zdebug on the Checkpoint Firewall, and I see that if the communication arrives but the Checkpoint does not respond.
[Expert@FW02:X]# tcpdump -nni any host 187.188.90.YY (This is IP Remote)
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
11:49:13.375725 IP 187.188.90.YY.500 > 187.174.134.xx.500: isakmp: phase 1 I ident
11:49:23.376030 IP 187.188.90.YY.500 > 187.174.134.xx.500: isakmp: phase 1 I ident
[Expert@FW02:X]# fw ctl zdebug + drop | grep 187.188.90.YY
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip=0.0.1.125 from 9142;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_src_dst_dynobj: network_classifier_handle_dag() failed for ip: 187.188.90.YY;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifier_handle_dynobjs: network_classifier_handle_src_dst_dynobj() failed;
@;9515533;[vs_X];[tid_0];[fw4_0];[187.188.90.YY:500 -> 187.174.134.XX:500] [ERROR]: network_classifiers_match_cb_handle_first_packet_ctx: network_classifier_handle_dynobjs failed;
Any idea why I present this problem with the tunnels of this VPN community? since with the other I have no problems.
As mentioned I have to ping the remote public IP to reset the VPN tunnel.
_Val_
use vpn debug to see what's wrong. It seems cisco side does not reply at all
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY