Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
abihsot__
Advisor

Protocol 50 (ESP) traversing GW do not reach destination

Hello,

R80.40 latest JHF

I have an issue where CP gateway is in the middle between nodes establishing site to site vpn tunnel. Access is opened as per requirements, but some tunnels go down and up sporadically. I was able to narrow down to strange traffic for ESP. Comparing working/not working tunnel I find the following difference

working:

vs_0][ppak_0] x:id[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:iD[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:i[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:I[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:o[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:O[44]: site1 -> site2_IP1 (50) len=204 id=44641

 

not working:

[vs_0][ppak_0] x:id[44]: site1 -> site2_IP2 (50) len=172 id=22516

[vs_0][ppak_0] x:iD[44]: site1-> site2_IP2 (50) len=172 id=22516

[vs_0][ppak_0] x:i[44]: site1-> site2_IP2 (50) len=172 id=22516

 

fw ctl zdebug + drop |grep "site1" doesn't reveal anything.

 

any ideas, besides TAC, which is already involved.

4 Replies
PhoneBoy
Admin
Admin

Does the gateway in question even have VPN enabled?
If so, does it need to?

0 Kudos
abihsot__
Advisor

Yes, gateway does have VPN blade enabled and it is required.

enabled_blades
fw vpn ips identityServer mon

I found sk167973, but this is not exactly our case. We do not NAT this traffic and we are running higher JHF than mentioned in SK.

0 Kudos
abihsot__
Advisor

Any idea how to check why traffic is not passing from small "i" to big "I"?

0 Kudos
John_Fleming
Advisor

The debug in that SK doesn't seem to show a drop message. Have you tried that debug vs just doing a drop? I would also send output to a file then grep that file or turn on line buffering in grep just to be safe.

Bandaid warning: Just throwing this out there. If you can get them to switch to NAT-T mode on the vpn tunnel you might be able to work around.

0 Kudos