- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello,
R80.40 latest JHF
I have an issue where CP gateway is in the middle between nodes establishing site to site vpn tunnel. Access is opened as per requirements, but some tunnels go down and up sporadically. I was able to narrow down to strange traffic for ESP. Comparing working/not working tunnel I find the following difference
working:
vs_0][ppak_0] x:id[44]: site1 -> site2_IP1 (50) len=204 id=44641
[vs_0][ppak_0] x:iD[44]: site1 -> site2_IP1 (50) len=204 id=44641
[vs_0][ppak_0] x:i[44]: site1 -> site2_IP1 (50) len=204 id=44641
[vs_0][ppak_0] x:I[44]: site1 -> site2_IP1 (50) len=204 id=44641
[vs_0][ppak_0] x:o[44]: site1 -> site2_IP1 (50) len=204 id=44641
[vs_0][ppak_0] x:O[44]: site1 -> site2_IP1 (50) len=204 id=44641
not working:
[vs_0][ppak_0] x:id[44]: site1 -> site2_IP2 (50) len=172 id=22516
[vs_0][ppak_0] x:iD[44]: site1-> site2_IP2 (50) len=172 id=22516
[vs_0][ppak_0] x:i[44]: site1-> site2_IP2 (50) len=172 id=22516
fw ctl zdebug + drop |grep "site1" doesn't reveal anything.
any ideas, besides TAC, which is already involved.
PhoneBoy
Does the gateway in question even have VPN enabled?
If so, does it need to?
Yes, gateway does have VPN blade enabled and it is required.
enabled_blades
fw vpn ips identityServer mon
I found sk167973, but this is not exactly our case. We do not NAT this traffic and we are running higher JHF than mentioned in SK.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY