Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TAEKBOM_Kim
Contributor

Protocol violation detected with protocol:(IKE Nat traversal - UDP)

Hello

We are seeing this issue. and We have a problem with VPN communication.

Do you have any idea about that?

 

1. SG5100: R80.10 (Take 249)

2. Topology: 3rd party VPN <--- SG5100 (bridge mode) ---> 3rd party VPN

                     SG5100 is not set to VPN. It's just a bridge mode firewall.

3. Policy

11.PNG

4. Logs

Firewall - Protocol violation detected with protocol:(IKE Nat traversal - UDP), matched protocol sig_id:(10), violation sig_id:(20). (500)

22.PNG

0 Kudos
Reply
7 Replies
Wolfgang
Leader
Leader

Kim,

first of all. Very interesting policy "any => any, allow" Hope this will be only for testing.

It looks like your VPN partners are not doing correctly the specifications for IKE_NAT-traversal.

You can try to create a new service-object with no protocol definition like this:

 

udp_4500.png

 and use this service object in your rulebase.

Wolfgang

0 Kudos
Reply
TAEKBOM_Kim
Contributor

Wolfgang,
Yes, it's only for testing. "any=>any,allow"

I created a new service-object with no protocol definition.
but the result was the same.

Firewall - Protocol violation detected with protocol:(IKE Nat traversal - UDP), matched protocol sig_id:(10), violation sig_id:(20). (500)

캡처.PNG

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

Yeah, you get an alert - but what is your issue when i see action accept in log ?

0 Kudos
Reply
TAEKBOM_Kim
Contributor

G_W_Albrecht.

We have a problem with vpn communication between 3rd party devices.
The vpn service is no problem when removing checkpoint devices.
0 Kudos
Reply
Cyber_Serge
Contributor

I'm seeing similar log for Protocol violation, but it's for (DNS-UDP). Even though the log will say "Allow" for action, it actually cause problem.

Not sure if the packet is drop but the DNS did not resolve. Basically if I do a nslookup from client machine, I'll see a log of Protocol violation coming from internal DNS, and on client machine the nslookup will not resolve the url and just time out.

This doesn't always happen though. It happen from time to time so it's hard to replicate the issue with support on the phone. Just curious what cause it to think there's Protocol violation?

0 Kudos
Reply
Cyber_Serge
Contributor

The temporary workaround we did was a Global Exception rule from the Inspection Settings for said traffic, while waiting on support to figure out what cause it to think there's protocol violation 

0 Kudos
Reply
Hitesh_Brahmbha
Participant

Every Next Generation firewall maintains protocol signature to validate the authenticity of the protocol/service.
If any traffic does not match with the defined service/protocol signature standard, it will alert you with the protocol violation error message.
In Check Point, Application and URL filtering blade must be in enabled state on the gateway for the protocol signature validation.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. This option is used to limit the port to the specified protocol.

Regards,
Hitesh Brahmbhatt

0 Kudos
Reply