Logging traffic over S2S

_Daniel_ · ‎2022-08-29

Hi All,

We got a S2S tunnel between a branch and a central firewall -both running R81.10 HFA Take 66, and managed by the same SMS.

Log traffic goes over the tunnel (we did update the masters file and followed sk104582), all was working fine, until we built a new -with new IP address- log server replacing the old one

We could see the SYN packet -on port 257- reaching the log server -over the tunnel, where it replies back with a SYN ACK which is then dropped on the central gateway with the below error:

@;4054131556;[kern];[tid_8];[SIM-241142620];vpn_verify: mspi check failed (cdir=0; conn_mspis:00000000,00000000; packet_mspi:0080000e), c2s conn: <10.131.2.1,38702,10.104.20.6,257,6>;

Any clues? Resetting the tunnel didn't make any difference.

A ticket was raised, but we've been kicked around for some time now

PhoneBoy · ‎2022-08-29

Anything involving SIC should not go over VPN by default, though I suppose if you’re following sk104582, you’ve changed that 😉
If you send me the TAC SR in a PM I can take a look.

_Daniel_ · ‎2022-09-04

A quick update for the records.

While going through some kernel debugging -with fw ctl zdebug running in another ssh session, I've noticed the above error message will disappear once SecureXL is being stopped -on the central VPN gateway.

Informed TAC with my findings, by the time I've managed to get an engineer on a session, the bl00dy logs started being received by the log server!!!

Now I'm not sure if stopping/re-enabling SecureXL fixed it or it was something else -no other changes were done.

Another self healing issue leaving me un-settled 😞

Are you a member of CheckMates?

Logging traffic over S2S