This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
Advisor
‎2024-01-23 04:33 AM

Occasional failing Echo Reply

We have a customer which has a VPN from Portugal to the Netherlands. The Portugese site is a 1570 with R80.20 and the central site is a cluster with 6000 appliances running R81

Customer has a contact in Portugal  who has started a contious ping and every now and then we loose a packet. In the logs I see Encrypt in Portugal and Decryp in the Netherlands. But every now and again in between these log entries there is a DROP on the echo-reply packet. with the additional information: ICMP reply does not match a previous request. This happens about 9 to 10 times per hour.

The ICMP virtual session timeout is set to 30 seconds under global properties. Which seems enough as the roundtrip over the VPN is just under 50 ms.

Customer also has a continous ping open to the router just in front of the firewalls in the Netherlands and that does not show any dropped packets.

Bsed on https://support.checkpoint.com/results/sk/sk66443 I would have to run a packet capture to see what happens. 

Anyone any other suggestions?

 

 

 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
7 Replies
Hugo_vd_Kooij
Advisor
‎2024-01-23 05:01 AM

Packet capture on the central side was easy. I saw 2 instances where the logs shows a dropped reply packet and the central firewall shows a gap of 5 seconds where there is a normal echo request and echo reply every second. So I need to do this at both ends at the same time. to learn more.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor
‎2024-01-23 05:32 AM
In response to Hugo_vd_Kooij

Done fw monitor on the 1570 and packet wise there is nothing wrong with the reply but it fails to pass. 

So this seems like bad behaviour of the appliance and I will create a TAC case for it. As I see other bad signs on the unit as well. (vmcore files of the last few days, .....

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
the_rock
Legend
Legend
‎2024-01-23 05:30 AM

I dont like that "solution" from the sk at all. All that does is says uncheck "drop out of state", which is not even good workaround in my mind. I know it says as immediate workaround, but then obviously, who knows how much time it can take to find permenant fix. Here is how I always fixed this issue in the past...screenshots attached.

Best,

Andy

 

 

 

Screenshot_2.png

 

 

Screenshot_3.png

0 Kudos
Hugo_vd_Kooij
Advisor
‎2024-01-23 06:20 AM
In response to the_rock

Hmmm. Global properties means it will impact a few dozen other VPN's as well. Not even sure this is an issue with losing SA's in the first place. Let me fetch the vpn deg ikeon output. to see if it makes any sense.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
the_rock
Legend
Legend
‎2024-01-23 06:29 AM
In response to Hugo_vd_Kooij

Thats right, its global setting.

Andy

0 Kudos
Hugo_vd_Kooij
Advisor
‎2024-01-23 06:51 AM
In response to Hugo_vd_Kooij

Looking at the ike log it does not appear to be a VPN issue.

At 14:22:05 there is an issu with the echo-reply packet being dropped. There is no chnage in the VPN between 14:03:06 and 14:38:09 so the cause of this particular issue is not VPN in itself.

However seeing 4 times a Phase 1 build up in less then an hour is not a sign of a healthy VPN.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
the_rock
Legend
Legend
‎2024-01-23 06:58 AM
In response to Hugo_vd_Kooij

Thats fair assesment.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events