This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2023-12-01 08:29 AM

Received notification from peer: Traffic selectors unacceptable

Hello All,

we have a VPN Tunnel on 80.40 with third party Gateway. Almost everything is working, but sometimes some remote server becomes unreachble. During troubleshooting I found following message that repeats every minute:

Source: our VPN Gateway
Destination: remote VPN Gateway

Child SA exchange: Received notification from peer: Traffic selectors unacceptable
MyTSi - <our public IP>
MyTSr: <remote internal network/16>

vpt tu tlist shows:

+-----------------------------------------+-----------------------+---------------------+
| Peer: remote Public IP - gateway name   | MSA:     7f7f89890408 | i: 1  ref:     2    |
| Methods: ESP Tunnel PFS AES-256 SHA256..|                       |                     |
| My TS:   our Public IP                  |                       |                     |
| Peer TS: remote internal network/16     |                       |                     |
| MSPI:    8000ab (i:  1, p:  0)          | No outbound SA        |                     |
+-----------------------------------------+-----------------------+---------------------+

 

Debug log:

sa1.png

The main question which is bothering me: who initializes this traffic - we or the remote server?

What does it mean "no outbound SA"? If it is incomming traffic why not to write "incoming SA"?

The first assumption the one remote host tries to reach our Gateway via its public IP, which is not in the encryption domain and refused Am I close?

 

Thank you in advance!

0 Kudos
10 Replies
the_rock
Legend
Legend
‎2023-12-01 09:05 AM

To me, logically looking at this, would indicate there is a problem where remote peer does not accept your selectors, so definitely phase2 problem. Whats the other side? Fortinet, Cisco, Sonicwall, PAN...something else?

Andy

0 Kudos
Exonix
Advisor
‎2023-12-04 12:14 AM
In response to the_rock

Palo Alto

0 Kudos
the_rock
Legend
Legend
‎2023-12-04 04:43 AM
In response to Exonix

I cant recall the wording now on PAN, but if theres something called peer ID, just remove it, as CP does not use that at all. For NAT, as @D_Schoenberger mentioned, if there is need for it, make sure its not disabled within the community and then create manual NAT rule(s).

Best regards,

Andy

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2023-12-04 06:34 AM
In response to Exonix

Palo Alto uses route-based VPNs by default, and will only accept an IKE Phase 2 proposal of 0.0.0.0/0 0.0.0.0/0 (a so-called "universal tunnel") unless special arrangements are made on the Palo side for it to mimic a domain/subnet-based VPN by configuring explicit Proxy-IDs.  See here: 

https://community.checkpoint.com/t5/Security-Gateways/Site-to-Site-VPN-between-Checkpoint-and-Palo-A...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend
‎2023-12-04 06:38 AM
In response to Timothy_Hall

I dont believe thats totally accurate. In older versions of PAN, you could build domain based tunnels, but you are correct, in new versions, its only route based. As far as phase 2 selectors, I am 100% positive you can use regular subnets, not just 0.0.0.0/0, because I had seen customers do it and it works, and Palo Alto TAC verified the same as well.

Best regards,

Andy

0 Kudos
Exonix
Advisor
‎2023-12-05 07:55 AM
In response to Timothy_Hall

it is not Route Based VPN for sure, but domain based.

0 Kudos
the_rock
Legend
Legend
‎2023-12-05 07:59 AM
In response to Exonix

I dont think that really matters in this context much.

Andy

0 Kudos
D_Schoenberger
Employee
Employee
‎2023-12-01 02:40 PM

When looking at a negotiation in IKEView, the "arrow" indicates who initiated.

==> means the local GW initiated

<== means the peer initiated

 

When looking at "vpn tu tlist", you'll sometimes see "No outbound SA" when IPSec negotiations have failed, but IKE succeeded. "vpn tu tlist" shows the outbound SA we use to encrypt traffic to the peer - it doesn't care which side initiated the negotiation.

 

Considering the peer is rejecting a proposal for the public IP of your gateway to their internal network, there is most likely have a Hide NAT configured on your internal network, and the peer is not configured to accept proposals from your public IP.

 

If this is an Automatic NAT (NAT configured on a host/network object directly), you can use the "Disable NAT inside the VPN community" setting under the "Advanced" settings of your VPN community. If you're using manual hide NAT rules, you'll need a no-NAT rule above your hide NAT rule.

0 Kudos
Exonix
Advisor
‎2023-12-04 12:18 AM
In response to D_Schoenberger

NAT is used only for Direct access, the Tunnel is standard - local Net | our VPN --- remote VPN | remote Net

But looks like one server tries something different and Remote VPN doesn't accept it. Maybe it uses NAT, thanks for idea, I wil lcheck it.

0 Kudos
Exonix
Advisor
‎2023-12-05 07:59 AM
In response to D_Schoenberger

I found in the FW Settings in Gaia, that the FW try to reach remote DNS and uses their external IP, which also presented in the debug. I've removed the DNS, but this traffic still going out... Are there any other places for DNS settings?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events