This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Masek
Contributor
‎2024-11-02 10:36 AM

Problem with VPN & PPPoE: R81.20 - Build 039

Hi,

I replaced my Check Point SMB 1550 with a Quantum 3600 and I cannot get the tunnel to Harmony SASE working again.

As far as I can debug it, the packet get encrypted but never leave the firewall.

The VPN is up:

IKE:

Peer 209.35.231.46 , vpn-harmony-sase.ffm SAs:

  IKEv2 SA 2cae2ad64b836a8f,93a026f7f36c90f7

IPsec:

Peer 209.35.231.46 , vpn-harmony-sase.ffm SAs:

  IKEv2 SA 2cae2ad64b836a8f,93a026f7f36c90f7
    INBOUND:
      1. 0x2a45d4a5  (i: 2)
    OUTBOUND:
      1. 0xc5850354  (i: 2)

I see the packets coming in through "fw monitor"

[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=48460
ICMP: type=8 code=0 echo request id=14 seq=139
[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=48945
ICMP: type=8 code=0 echo request id=14 seq=140
[vs_0][fw_1] pppoe7:i[44]: 10.2.3.2 -> 10.0.1.10 (ICMP) len=84 id=49316
ICMP: type=8 code=0 echo request id=14 seq=141

But the packets don't make it to the network: "fw ctl zdebug drop shows" me

@;6607.255;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=1 10.2.3.2:14 -> 10.0.1.10:0 dropped by vpn_before_offload Reason: failed to get OS route;
@;6608.256;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=1 10.2.3.2:14 -> 10.0.1.10:0 dropped by vpn_before_offload Reason: failed to get OS route;

This really weird, because the firewall itself can ping the system:

[Expert@fortress-new:0]# ping 10.0.1.10
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=64 time=1.02 ms

The destination network is a bridging interface (br0).

Yours, Martin

 

 

I don't know where I'm going, but I'm on my way
0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-11-03 02:54 AM

Which JHF (Jumbo) is installed on this system and could you please share a simple diagram of the topology?

CCSM R77/R80/ELITE
0 Kudos
Masek
Contributor
‎2024-11-03 02:58 AM
In response to Chris_Atkinson

Installed the latest recommended JHF (89?)
Had to roll back and disconnect the system

I don't know where I'm going, but I'm on my way
0 Kudos
Masek
Contributor
‎2024-11-03 09:28 AM
In response to Chris_Atkinson

It was Take 89. I am rebuilding the system and try it without a bridging interface

I don't know where I'm going, but I'm on my way
0 Kudos
carlos_luz
Explorer
‎2025-01-06 05:41 AM
In response to Masek

 Is there one update about this test @Masek , i had the same problem in my LAB enverioment.

0 Kudos
Masek
Contributor
‎2025-01-06 10:32 AM
In response to carlos_luz

Use migrate_server for backup/restore at the moment...

I don't know where I'm going, but I'm on my way
0 Kudos
carlos_luz
Explorer
‎2025-01-06 10:45 AM
In response to Masek

 I had the same problem and after changed the Bridge to Physhical interface the problem stop...

 But i had this in one LAB enverioment, but i think there is necessary open one Case.

0 Kudos
Nigel_Todd
Employee Employee
Employee
‎2025-02-25 03:31 AM
In response to carlos_luz

Hi

Did you find a solution to the problem?

Thanks

Nigel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events