This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew
Participant
‎2019-04-25 07:26 PM
Jump to solution

Strange behaviour after R80.20 upgrade

Hi,

After completing in-place upgrading our ClusterXL pair from R80.10 to R80.20 we are now experiencing some VPN traffic issues.

We have 14 VPN tunnels between Cisco 887 routers (all in the same community) and they were all working perfectly prior to the upgrade.

After the upgrade we are seeing the following 2 scenarios:

Issue 1: GRE Tunnels stop working when a policy is installed. (Similar to issue 2)

Configuration:

[GRE Router] – [FW CLUSTER] ------- vpn ------- [Cisco 887] --- [Cisco switch]

             |___________________  GRE Tunnel   ___________________|

 

When a policy is installed the sites that utilize a GRE across the VPN’s stop working. They will start working again after a variable time ranging from several minutes/hours.

I can get them working immediately again by failing the cluster to the standby member. I can then fail back and everything keeps working.

While it is experiencing the Issue:

- SSH through the VPN works to the Cisco 887 devices. 

- Pings work to the Cisco switch interface.

- Other traffic does not get to the Cisco Switch interface. The Cisco switch interface is the GRE tunnel end point so GRE tunnel drops.

 

Issue 2: VPN Sites with only a Cisco 887

Configuration:

[FW CLUSTER] ------- vpn ------- [Cisco 887] – [Devices e.g. UPS, Cardax]

All VPN links are stating they are up and ping traffic works to all devices. Several sites (not all) are having the below issues where traffic does not work.

- SSH and telnet to the Cisco 887 across the VPN does not work.

- Telnet SSH and HTTP does not work to the UPS connected to the Cisco 887.

- Ping is successful across the VPN to the Cisco 887 and the UPS.

- Disabling SecureXL – all the above traffic works

- Enabling SecureXL – New connections stop working. Existing sessions (e.g. SSH) continue to work.

The following will usually resolve the issue:

- selecting ‘vpn tu’ - Option 7 – Delete all IPsec+IKE SAs for a given peer (GW)

Sometimes the above doesn't work and it may work by selecting option 5 after doing option 7

 

I have just logged a case with checkpoint.

If anyone has any ideas or has seen this before I'd appreciate any assistance as I'm not sure what to do next? 

Also:

Rebooting the Cisco 887 does not resolve the issue.

Both firewalls in the cluster have been rebooted (they were done separately – I have not rebooted both at the same time)

 

0 Kudos
1 Solution

Accepted Solutions
Andrew
Participant
‎2019-04-28 03:18 PM
Jump to solution

About to test this to see if it resolves the issue:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
4 Replies
Andrew
Participant
‎2019-04-28 03:18 PM
Jump to solution

About to test this to see if it resolves the issue:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
andy_currigan
Contributor
‎2019-09-24 05:17 AM
Jump to solution

HI Andrew,

After upgrading to r80.20 I experience Issue 1: GRE Tunnels stop working when a policy is installed.

Did you find a solution?

thanks.

andy

0 Kudos
andy_currigan
Contributor
‎2019-09-24 05:33 AM
In response to andy_currigan
Jump to solution

forgot to mention that vpn in our case is not ended on our checkpoint so the sk you mention in our case can't be the solution

https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk148872
0 Kudos
Andrew
Participant
‎2019-09-30 11:29 PM
In response to andy_currigan
Jump to solution

Hi Andy,

SK148872 resolved our issue.

Checkpoint support worked through our issue to get to the resolution.

 

Good luck.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events