This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
‎2021-04-02 02:24 AM

VPN Troubles after installing R80.30 Take 228...

Hello Check Pointers ...

Question:
We did some upgrades on  R80.30 clusters from Take 196 to Take 228 and encountered an increase of VPN issues ...
They are hard to grasp in total, but we saw a big increase of outage warnings by our monitoring systems.

for example we saw this is /var/log/message -> but thousends and thousends of them!!!
[fw4_27];FW-1: cphwd_crypt_upd_link_selection_stat_cb: link selection update API failed
[fw4_6];FW-1: cphwd_crypt_upd_link_selection_stat_cb: link selection update API failed
[fw4_6];FW-1: cphwd_crypt_upd_link_selection_stat_cb: link selection update API failed

or

[fw4_13];cphwd_update_crypto_info_and_resume_chain: failed to get sxl_devvfw4_13];FW-1: 

and this here.

[fw4_0];cphwd_update_crypto_info_and_resume_chain: corr info (sxl_dev_id:0) - app opaque (sxl_dev_id:32) mismatch
[fw4_0];cphwd_update_crypto_info_and_resume_chain: failed to get sxl_dev
there is an SK for this message -> sk160612

but does not help.

other issues are, Client VPN it sometimes just disconnects, many Stateful Inspection issues in VPN and just instability.
so very unprecise it total.

also i see this messages also on R80.40 Take 94.

and yes we use IPSec Link Selection with LS and ISP Redundancy with Internet and MPLS lines. 

-> TAC cases are opened also ... lets see.

 

best regards





0 Kudos
2 Replies
mk1
Collaborator
‎2021-04-02 07:23 AM

Hello @Thomas_Eichelbu ,

We upgraded couple of HA clusters from R80.20 to R80.40 with the latest jumbo 94 and almost of all them which use ISP redundancy have VPN issues. For instance when we check "List all IPsec SAs for a given peer (GW) or user (Client)" with vpn tu for problematic peer we have the following:

IKE SA <968dda368fda4b4e,242e1e63727f3a1c>
(No IPSec SAs)

IKE SA <7d6c24dcd3e9697d,9a9edc436fae11df>
(No IPSec SAs)

IKE SA <d0fbeb6e8966e95d,6bcdc87e88e5c311>
(No IPSec SAs)

IKE SA <e0549c9dc402adc6,3e0eb30596d67909>
(No IPSec SAs)

IKE SA <0aa6e7b39c18bd61,a02b4a5168a19a4d>
(No IPSec SAs)

IKE SA <05943b6d1a73fe36,8d6613131c033a59>
(No IPSec SAs)

 

When we reset the tunnel everything comes back to normal and after some random period the problem starts again. The issue exists for the VPNs between gateways part of the same management, together with other Check Point devices which are part of another management. We tried to turn off fwaccel but the result was the same. Case is opened to TAC, but they need the results from "heavy VPN debug" which could overload the devices. Please give some updates if you have something useful from TAC.

Thank you!

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2021-04-02 07:37 AM
In response to mk1

Hello, 

i have seen that too ... i updated a cluster from R80.30 to R80.40 Take 94 ...
Link Selection in HA and ISP Redundany were configured ...

all tunnel to the  remote sites were off after installing both machines ... 
the tunnel went on and off in a rapid manner ... 
but client vpn worked and safed my day 🙂
a tunnel reset for all tunnels had helped ... 
now all is stable ... perhaps a one time wonder ..
but the messages from /var/log/messages are still present.

-> TAC is already working on the log entries ... i keep you updated!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events