This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Benoit_Verove
Contributor
‎2018-11-27 01:42 PM

VPN & fwconn_key_init_links (OUTBOUND) failed

Hi Checkmates,

We are working on a migration project and we are facing a strange issue.

The architecture is quite simple :

- Cluster of 5800 appliances, R80.10 + jumbo 154

- Management is a R80.10 VM.

Everything seems fine except VPN. Only 4 VPN amongs 7 are working. Not always the same, but never more than 4.

For the failed VPNs, we've discovered that outgoing IKE packet are dropped by the active member :

;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 a.a.a.a:500 -> b.b.b.b:500 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

a.a.a.a : cluster IP

b.b.b.b : peer IP

We have contacted the TAC and they've collected multiples captures. For now, nobody seems to be able to explain why the gateway drops its own IKE packets.

According to TAC, sk124732 doesn't applied.

If anyone knows what "fwconn_key_init_links (OUTBOUND) failed" could means ...

Thanks for your help !

5 Replies
PhoneBoy
Admin
Admin
‎2018-11-27 08:49 PM

The error message seems to be NAT related, specifically when the attempt to NAT fails for one reason or another.

It comes up here (among other places): Traffic is not NATed correctly 

0 Kudos
Benoit_Verove
Contributor
‎2018-11-28 12:28 AM
In response to PhoneBoy

Hi Dameon,

Thanks for the hint. Indeed something seems to go wrong with NAT. I will also check if the sk41916 might applied

Regards,

Benoit

Hugo_vd_Kooij
Advisor
‎2018-11-28 01:00 AM

Also make sure it is not the backup firewall sending out packets through the primary.

This is something we see a lof if people start to monitor both firewalls with SNMP over the VPN connection.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Benoit_Verove
Contributor
‎2018-12-11 06:26 AM

Hi,

We finaly solved our issue. It was a simple NAT rules that was conflicting with IKE trafic.... Rebuilding a narrowed NAT rule, and all the VPN came up !

Regards,

Benoit

0 Kudos
jslima
Explorer
‎2024-05-22 05:40 AM
In response to Benoit_Verove

Hi,

How did you resolved? My customer is using a openserver cluster with R80.40 take 161 and we have an issue related to VPN Site-to-site. The tunnel is established but during the day, some times the tunnel is disconnected and come up later. We´ve tried some configurations to avoid it but the tunnel still come down few times on the day.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top