This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NikFal
Contributor
‎2024-10-23 05:28 AM

Site to Site Tunnel multi-SAs crash

Hello, 

I am facing a problem with PFsence site to site VPN. The config. matched on both sides. same everything and the encyption domains. 
Although the problem, the S2S VPN will work but after a while it stops. The only way to make work again is by resting the VPN then it works again. 

I tried to debug the issue found some weird things.  Like many SAs peer connection and it keeps adding till the connection stops. 
After reset start all again. also the IPSEC phase 2 many inbounds and outbounds .  Any ideas what to check or where to start ?

 

 

2024-10-23 14_25_20-lagadpsec01.png2024-10-23 14_26sec01.png2024-10-psec01.png 

0 Kudos
12 Replies
CaseyB
Advisor
‎2024-10-23 05:37 AM

Looking at the debug, it is failing on "Create Child SA". This appears to be a larger tunnel with 16 IKE SA's from your screenshot.

What does your encryption domain look like, are these all subnets? How often are you re-keying Phase2? What version are you running on?

0 Kudos
(1)
NikFal
Contributor
‎2024-10-23 11:54 PM
In response to CaseyB

The encryption domain has multi subnet, Client VPN net and some pcs.
Renegotiate phase 2 : 3600 Sec. 
FW : R81.10 - Build 062 Take 139

 

image.pngimage.png

0 Kudos
CaseyB
Advisor
‎2024-10-24 05:42 AM
In response to NikFal

You don't need those hosts in the encryption domain, the 10.148.8.0/22 encompasses them, I would remove them.

Your screenshot shows 16 SA's, based on the encryption domain you provided, I would only expect 8 after removing the hosts and 12 before, that makes it seem like the tunnels are not building properly.

I would do a "vpn tu tlist -p <IP of PFsense>" from the GW CLI to validate all of the subnets are building properly, because that seems like the culprit.

0 Kudos
NikFal
Contributor
‎2024-10-24 05:55 AM
In response to CaseyB

actually it does not matter what we do it will keep adding SA's till i have to reset the VPN to make it work again. I see by other VPNs only one SA's although the ED has many networks. I dont know how relevantimage.png is that..


0 Kudos
CaseyB
Advisor
‎2024-10-24 06:10 AM
In response to NikFal

To me, it looks like the subnets are not defined properly on the PFsense side.

Looking back at the debug you posted, the failed "Created Child SA" is an inbound request, as in the PFsense is sending a subnet the Check Point does not like. You should be able to see those in the "TSi" and "TSr" fields.

0 Kudos
Lesley
Leader Leader
Leader
‎2024-10-23 02:21 PM

Under the VPN community you have SA per host, per subnet or per gateway?

What version you running? share cpinfo -y all output from relevant vpn gateway

How often tunnel breaks? Does this match either the p1 or p2 timer?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(1)
NikFal
Contributor
‎2024-10-23 11:57 PM
In response to Lesley

It is per Subnet, 
Ver : FW : R81.10 - Build 062 Take 139. 
I had to restart it every day cuz it works for a couple of hours then it does not work till i reset the VPN 
image.png

0 Kudos
Lesley
Leader Leader
Leader
‎2024-10-28 02:22 PM
In response to NikFal

Check what Casey typed before, you have to check further into the debugs:

"Looking back at the debug you posted, the failed "Created Child SA" is an inbound request, as in the PFsense is sending a subnet the Check Point does not like. You should be able to see those in the "TSi" and "TSr" fields."

Also regarding software, search here for '"VPN' and check if any bugs match. You should check everything above take 139.

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
‎2024-10-23 06:19 PM

No ipsec sa clearly tells us its phase 2 issue. How do you have tunnel management seclected? per host, subnet or gateway? If you arew only using subnets, then subnet should be selected, but if its combo of both hosts/subnets, then select per gateway.

Also, do vpn domains match properly on both ends?

Andy

0 Kudos
(1)
NikFal
Contributor
‎2024-10-24 12:08 AM
In response to the_rock

it's actually per Subnet. It not the first time i add hosts and subnets to ED with VPN Sharing per subnet. It always worked fine. I dont know also if this is an issue on the other side the Pfsense. Although it is worth to try . 

0 Kudos
the_rock
Legend
Legend
‎2024-10-24 06:12 AM
In response to NikFal

Well, if it worked before, maybe you just got lucky, but technically, if its combo of hosts/subnets, it should be set per gateway.

Andy

0 Kudos
NikFal
Contributor
‎2024-10-28 08:48 AM

Now it looks different : 

 

image.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events