This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
T_Sonnberger
Contributor
‎2021-09-27 12:06 AM

VPN Encryption Issues with tunnel to Azure

Dear CPUG,

I have a strange issue with a tunnel to Azure.

The tunnel is up and running and we have routed two networks to Azure successfully for a long time. Now I have added a third network to the encryption domain to extend the remote range.

For this new network, I can't get a working connection...

Within Smart Log, I see that it is routed into the correct VPN community and is encrypted the same way, as the working networks.

However, for SSH traffic, I do not see any drops in Smart Log and for ICPM I see:

Encryption/Decryption failure, failed to resolve SA (VPN Error code 01)

I have applied sk122532 with no success...

fw ctl zdebug + drop shows me different reasons, why it's blocked:

@;452435048;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 s.s.s.s:1034 -> d.d.d.d:22 dropped by fwmultik_process_f2p_cookie_inner Reason: fwmultik_f2p_cookie_outbound_and_routing failed;
@;452460291;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=1 s.s.s.s:2048 -> d.d.d.d:13732 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;

Which brought me to: sk167953 - but then I wonder, why it is working for the other two subnets in the encryption domain.

 

Looking on a fw monitor:

[vs_0][fw_2] eth1-01:i[44]: s.s.s.s-> d.d.d.d (TCP) len=52 id=10707
TCP: 31479 -> 22 .S.... seq=d355f30b ack=00000000
[vs_0][fw_2] eth1-01:I[44]: s.s.s.s -> d.d.d.d (TCP) len=52 id=10707
TCP: 31479 -> 22 .S.... seq=d355f30b ack=00000000
[vs_0][fw_2] eth1-01:o[44]: s.s.s.s -> d.d.d.d (TCP) len=52 id=10707
TCP: 31479 -> 22 .S.... seq=d355f30b ack=00000000
[vs_0][fw_2] eth1-01:O[44]: s.s.s.s -> d.d.d.d (TCP) len=52 id=10707
TCP: 31479 -> 22 .S.... seq=d355f30b ack=00000000
[vs_0][fw_0] eth1-01:Oe[44]: s.s.s.s -> d.d.d.d (TCP) len=52 id=10707
TCP: 31479 -> 22 .S.... seq=d355f30b ack=00000000
[vs_0][fw_2] eth1-03:i[44]: s.s.s.s -> d.d.d.d (TCP) len=52 id=10707
TCP: 31479 -> 22 .S.... seq=d355f30b ack=00000000

It apprears to exit the physical internet interface (eth1-03) while I do not see this, for working connections?

 

Do you have any ideas, what to check? Might it be a routing issue on Azures end?

 

Any hint would be highly appreaciated! Thanks in advance!

 

BR,

Thomas

 

 

0 Kudos
3 Replies
T_Sonnberger
Contributor
‎2021-09-27 09:25 PM

P.s. We are running R80.30 Take 200

Restarting the tunnel did not make any changes.

BR,

Thomas

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-27 10:59 PM
In response to T_Sonnberger

No idea, but it seems like the next step would be to apply a later JHF as suggested by the SK.

0 Kudos
T_Sonnberger
Contributor
‎2021-10-18 10:12 PM
In response to PhoneBoy

Just a quick update:

Applying the Hotfix did not solve the issue. After further reviewing with our Azure Team, we figured out a misconfiguration of the routing table in Azure, so the encryption domains did not match. 

After fixing this, we see at least no further drops but it's still not working. Although, I guess it's not related to our Checkpoint configuration, as no issues can be seen now.

Thanks for your support though!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events