Solved: Re: R81.10 VPN site-2-site to Cisco C8500-12X IOS ... - Page 2

BjornErichsen · ‎2024-08-30

EDIT:
Sorry guys. I was misinformed - it now proves that the remote peer is in fact cisco C8500-12X, not Palo Alto firewalls... They are not making it easy on me 🙂

History:
I am managing a CP R81.10 secure GW (VSX) with several VPNs to different vendors.
In late April we created yet another site-2-site VPN tunnel - towards Cisco IOS XE (for the first time), and it worked flawlessly.
In early July we deployed most recent (at that time) Jumbo Hotfix take 152.

Issue:
Since the JHF deployed in July it appears we have had problems when IPsec SA keys are renegotiated (at default time interval of 3660 seconds).
Note that the tunnel works for the vast majority of the time, and the tunneled subnets does reestablish communication eventually without manual intervention, but we do see traffic impact.

VPN Blade logs Rejects of various types - but generally in sequence:

From remote Cisco IOS XE to CP:
Child SA exchange: Ended with error
Initial exchange: Sending notification to peer: Invalid Key Exchange payload

Then from CP to remote Cisco IOS XE:
Child SA exchange: Received notification from peer: No proposal chosen MyMethods Phase2: AES-GCM-256 + HMAC-SHA2-384, No IPComp, No ESN, Group 20 (384-bit random ECP group)

And from Cisco IOS XE to CP
Informational exchange: Ended with error
Initial exchange: Sending notification to peer: Invalid Key Exchange payload

Actions:
We will be upgrading to latest Jumbo Hotfix (which claims to fix some VPN issues though none appear directly related) next week, but in case that does not solve the issue any help would be greatly appreciated.

We already have our eye on DPD @onfigured on Cisco IOS XE since the CP side has not been configured with the tunnel as "Permanent", but I doubt that would cause IPsec renegotiation to fail periodically.

Also we have requested Cisco IOS XE side to first try with a IKEv2 proposal that exactly matches CP configuration. This has not yet been implemented - as these proposals are "global" - but they are looking into it.

I'd really like to hear if anybody have fixed identical issues?

CP VPN community config:
We have a VPN community ("policy based") tunnel with verified encryption domains (subnets) at both ends.
Only allow encrypted traffic
IKEv2 only
Phase 1: AES-256,SHA384.Group 20
Phase 2: AES-GCM-256, PFS group 20
Not permanent and One VPN tunnel per subnet pair
Shared secret (which of course works)
Renegotiate IKE 1440 (minutes)
Renegotiate IPsec 3600 (seconds)
Anything not mentioned should be at default values for R81.10 (initial deployment for this VSX cluster was on R80.40)

Cisco IOS XE config (which I do not control):
#show crypto ikev2 proposal
IKEv2 proposal: VPN_XXXX_PROPOSAL_AES_CBC
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity : SHA512 SHA384 SHA256
     PRF        : SHA512 SHA384 SHA256
     DH Group   : DH_GROUP_2048_256_MODP/Group 24 DH_GROUP_521_ECP/Group 21 DH_GROUP_384_ECP/Group 20
IKEv2 proposal: VPN_XXXX_PROPOSAL_AES_GCM
     Encryption : AES-GCM-256 AES-GCM-128
     Integrity : none
     PRF        : SHA512 SHA384 SHA256
     DH Group   : DH_GROUP_2048_256_MODP/Group 24 DH_GROUP_521_ECP/Group 21 DH_GROUP_384_ECP/Group 20
IKEv2 proposal: default Disabled

#show crypto ipsec profile VPN_XXXX_PROFILE_10029
IPSEC profile VPN_XXXX_PROFILE_10029
        IKEv2 Profile: VPN_XXXX_PROFILE_10029
        Kilobyte Volume Rekey has been disabled.
        Security association lifetime:3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group: group20
        Mixed-mode : Disabled
        Transform sets={
                TS_XXXX_AES_GCM256: { esp-gcm 256 } ,
        }

#show crypto ikev2 profile VPN_XXXX_PROFILE_10029

IKEv2 profile: VPN_XXXX_PROFILE_10029
Ref Count: 5
Match criteria:
  Fvrf: INFRA
  Local address/interface:
   yyy.zzz.xxx.ooo
  Identities:
   address vvv.uuu.ddd.qqq 255.255.255.255
  Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: VPN_XXXX_KEYRING_10029
Trustpoint(s): none
Lifetime: 86400 seconds
no lifetime certificate
DPD: interval 10, retry-interval 5, periodic
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
PPK Dynamic: 0 PPK Required : 0 PPK Instance ID:

VSX_Bernie · ‎2024-09-20

The hotfix solved our issue.
Thank you so much to everyone in this post - it has really been a big help, in resolving this issue quickly for us and our customers

the_rock · ‎2024-09-20

Awesome news!

CaseyB · ‎2024-09-20

Great! I did inquire about it getting added to a jumbo, I should know more after the weekend.

VSX_Bernie · ‎2024-09-23

Great - I am also going to inquire about the exact same thing.
Will also keep you posted.

I anticipate we are putting our upgrades on hold, until a recommended is released incorporating this fix.

VSX_Bernie · ‎2024-09-24

I inquired about hotfix for JHF, but they just told me to keep an eye on the release notes.
I have asked for a PRJ or PRHF ID.

Radu_Ciobanu · ‎2024-09-20

The hotfix did the trick for our ikev2 tunnels as well. Much appreciated.

the_rock · ‎2024-09-20

Fantastic news.

BjornErichsen · ‎2024-09-23

I will be installing the same tomorrow, and as I see it worked for several people here it gives me some confidence.
Thanks for sharing 👍

EDIT: I'm not having any luck with this one. The hotfix delivered by CheckPoint wont import, and thus can't be installed... Note that it might differ a bit from yours since I'm on JHF Take 158.

[Expert@fw:0]# sha256sum /var/log/fw1_wrapper_HOTFIX_R81_10_JHF_T158_201_MAIN_GA_FULL.tar
130ad401a42ba41089d3645b7e8ecb924a808b259f9a107a287d725ab6461db2 /var/log/fw1_wrapper_HOTFIX_R81_10_JHF_T158_201_MAIN_GA_FULL.tar

[Expert@fw:0]# clish
fw:0> installer agent update
Info: Initiating CPUSE self update...
Deployment Agent: agent is up to date
fw:0> installer import local /var/log/fw1_wrapper_HOTFIX_R81_10_JHF_T158_201_MAIN_GA_FULL.tar
Preparing package for import. This operation might take a few moments
Note: The selected package will be copied into CPUSE repository
Info: Initiating import of fw1_wrapper_HOTFIX_R81_10_JHF_T158_201_MAIN_GA_FULL.tar...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Import of package fw1_wrapper_HOTFIX_R81_10_JHF_T158_201_MAIN_GA_FULL.tar Failed
Error: Failed to find package or package metadata.
fw:0>

Now I'm discussing with CheckPoint (through proxy) why their hotfix won't install...

Zolocofxp · ‎2024-09-03

Having PA create a custom profile will most likely fix the issue. I've had great success limiting the encryption algorithm to CBC like the following example.

I'd also check the Traffic Selectors that are being proposed by both ends when tunnels come down.

the_rock · ‎2024-09-03

Agree 100%

the_rock · ‎2024-09-18

Definitely true. I had seen that also fix issues on Fortigates before.

Andy

BjornErichsen · ‎2024-11-08

Just for your information. Checkpoint finally delivered a hotfix that solved the issue for us last week. Long journey 🙂
fw1_wrapper_HOTFIX_R81_10_JHF_T158_356_MAIN_GA_FULL.tar

VSX_Bernie · ‎2024-11-08

Nice @BjornErichsen - great to hear 🙂

CaseyB · ‎2024-11-13

Looks like this was fixed in R81.10 JHF 171.

sk182735 - IKEv2 VPN tunnels experience multiple Child SA timeouts after upgrading to R81.10 Jumbo H...

I am in the process of moving everything from R81.10 to R81.20, so I won't be testing it.

Are you a member of CheckMates?

R81.10 VPN site-2-site to Cisco C8500-12X IOS XE (not Palo Alto as previously stated)