This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2021-01-13 03:00 AM

Protocol 50 (ESP) traversing GW do not reach destination

Hello,

R80.40 latest JHF

I have an issue where CP gateway is in the middle between nodes establishing site to site vpn tunnel. Access is opened as per requirements, but some tunnels go down and up sporadically. I was able to narrow down to strange traffic for ESP. Comparing working/not working tunnel I find the following difference

working:

vs_0][ppak_0] x:id[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:iD[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:i[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:I[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:o[44]: site1 -> site2_IP1 (50) len=204 id=44641

[vs_0][ppak_0] x:O[44]: site1 -> site2_IP1 (50) len=204 id=44641

 

not working:

[vs_0][ppak_0] x:id[44]: site1 -> site2_IP2 (50) len=172 id=22516

[vs_0][ppak_0] x:iD[44]: site1-> site2_IP2 (50) len=172 id=22516

[vs_0][ppak_0] x:i[44]: site1-> site2_IP2 (50) len=172 id=22516

 

fw ctl zdebug + drop |grep "site1" doesn't reveal anything.

 

any ideas, besides TAC, which is already involved.

4 Replies
PhoneBoy
Admin
Admin
‎2021-01-13 02:07 PM

Does the gateway in question even have VPN enabled?
If so, does it need to?

0 Kudos
abihsot__
Advisor
‎2021-01-13 11:16 PM
In response to PhoneBoy

Yes, gateway does have VPN blade enabled and it is required.

enabled_blades
fw vpn ips identityServer mon

I found sk167973, but this is not exactly our case. We do not NAT this traffic and we are running higher JHF than mentioned in SK.

0 Kudos
abihsot__
Advisor
‎2021-01-20 08:19 AM

Any idea how to check why traffic is not passing from small "i" to big "I"?

0 Kudos
John_Fleming
Advisor
‎2021-01-20 08:34 AM
In response to abihsot__

The debug in that SK doesn't seem to show a drop message. Have you tried that debug vs just doing a drop? I would also send output to a file then grep that file or turn on line buffering in grep just to be safe.

Bandaid warning: Just throwing this out there. If you can get them to switch to NAT-T mode on the vpn tunnel you might be able to work around.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events