This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Daniel_
Contributor
‎2022-08-29 05:05 AM

Logging traffic over S2S

Hi All,

We got a S2S tunnel between a branch and a central firewall -both running R81.10 HFA Take 66, and managed by the same SMS.

Log traffic goes over the tunnel (we did update the masters file and followed sk104582), all was working fine, until we built a new  -with new IP address- log server replacing the old one 

We could see the SYN packet -on port 257- reaching the log server -over the tunnel, where it replies back with a SYN ACK which is then dropped on the central gateway with the below error:

 

@;4054131556;[kern];[tid_8];[SIM-241142620];vpn_verify: mspi check failed (cdir=0; conn_mspis:00000000,00000000; packet_mspi:0080000e), c2s conn: <10.131.2.1,38702,10.104.20.6,257,6>;

 

Any clues? Resetting the tunnel didn't make any difference.

A ticket was raised, but we've been kicked around for some time now

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2022-08-29 05:27 AM

Anything involving SIC should not go over VPN by default, though I suppose if you’re following sk104582, you’ve changed that 😉
If you send me the TAC SR in a PM I can take a look.

_Daniel_
Contributor
‎2022-09-04 03:26 PM

A quick update for the records.

While going through some kernel debugging -with fw ctl zdebug running in another ssh session, I've noticed the above error message will disappear once SecureXL is being stopped -on the central VPN gateway.

Informed TAC with my findings, by the time I've managed to get an engineer on a session, the bl00dy logs started being received by the log server!!!

Now I'm not sure if stopping/re-enabling SecureXL fixed it or it was something else -no other changes were done.

Another self healing issue leaving me un-settled 😞

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events