Hi,

I replaced my Check Point SMB 1550 with a Quantum 3600 and I cannot get the tunnel to Harmony SASE working again.

As far as I can debug it, the packet get encrypted but never leave the firewall.

The VPN is up:

IKE:

Peer 209.35.231.46 , vpn-harmony-sase.ffm SAs:

  IKEv2 SA 2cae2ad64b836a8f,93a026f7f36c90f7

IPsec:

Peer 209.35.231.46 , vpn-harmony-sase.ffm SAs:

  IKEv2 SA 2cae2ad64b836a8f,93a026f7f36c90f7
    INBOUND:
      1. 0x2a45d4a5  (i: 2)
    OUTBOUND:
      1. 0xc5850354  (i: 2)

I see the packets coming in through "fw monitor"

[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=48460
ICMP: type=8 code=0 echo request id=14 seq=139
[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=48945
ICMP: type=8 code=0 echo request id=14 seq=140
[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=49316
ICMP: type=8 code=0 echo request id=14 seq=141

But the packets don't make it to the network: "fw ctl zdebug drop shows" me

@;6607.255;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=1 10.2.3.2:14 -> 10.0.1.10:0 dropped by vpn_before_offload Reason: failed to get OS route;
@;6608.256;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=1 10.2.3.2:14 -> 10.0.1.10:0 dropped by vpn_before_offload Reason: failed to get OS route;

This really weird, because the firewall itself can ping the system:

[Expert@fortress-new:0]# ping 10.0.1.10
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=64 time=1.02 ms

The destination network is a bridging interface (br0).

Yours, Martin