Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
guiausechi
Participant
Participant

VPN to CheckPoint unstable, showing multiple IKE and IPSEC SA's for one policy

Hello,

someone had this problem.

I have one VPN between Check Point R80.40 and Aruba..

The symptoms are .. duplicate IKE phase 1 in the Checkpoint and some times VPN goes down.

0 Kudos
28 Replies
PhoneBoy
Admin
Admin

Duplicate IKE Phase 1 isn't exactly a problem depending on the precise configuration.
In any case, you'd probably need to debug the issue further: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Matt_Killeen
Contributor

Error 404 on link

0 Kudos
G_W_Albrecht
Legend Legend
Legend

That sk is not available anymore - try the following and the included links:

https://support.checkpoint.com/results/sk/sk40114

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

The SK that replaces the one I linked to previously is: https://support.checkpoint.com/results/sk/sk180488 

the_rock
Legend
Legend

Never really set up tunnel between CP and Aruba personally, but can ask one of my colleagues who is really good with Aruba to see if there are any known settings/issues to be aware off. Did the tunnel ever work right or you had problem since the beginning? As @PhoneBoy said, debugging this is a really good idea on CP side.

This is what I usually do, super easy process...on CP fw, rune below commands from expert mode:

vpn debug trunc

vpn degug ikeon

generate some traffic

vpn debug ikeoff

Get vpnd.elg file, as well as ike,elg from %FWDIR/log

Use ikeview utility (free to download off google) to examine ike.elg file and look for the entry for Aruba public IP in there and see whats happening. Also, vpnd.elg can give some insights as well.

prakash7
Explorer

We are facing IPsec vpn tunnel unstable issue its down and up automatically every half a hour (don't make any changes on firewall)happening checkpoint to Prisma cloud tunnel  

till now we don't find anything what is the issue

0 Kudos
PhoneBoy
Admin
Admin

You'll need to debug it: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
See also scenario 4 and 6 in: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Tunnel going up/down like that is likely a mismatch between the various timer settings.

0 Kudos
CheckPointerXL
Advisor
Advisor

did you fix the issue?

0 Kudos
Matlu
Advisor

Hello, my friend.

The file that should be obtained after the debugging you suggest, for the IKEv2, what would it be?

I understand that it is not the same as the one in this post, right?

Regards

0 Kudos
the_rock
Legend
Legend

Ola bro,

Just do below from expert:

cd $FWDIR/log & ls -lh *ike

It will show you all ike files, including ikev2

Andy

0 Kudos
Matlu
Advisor

Hi, Andy.

Is this "file" the one to be read, in the IKEView?

File -> ikev2.xmll

Does this file "show" you both Phase1 and Phase2, or only Phase1?

Cheers.

the_rock
Legend
Legend

I believe phase2 only, but could be mistaken.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

IKEv2 doesn't have quite the same phase 1 > phase 2 structure IKEv1 has. ikev2.xmll has all of the IKEv2 negotiation information.

0 Kudos
Matlu
Advisor

Hello,

The file -> ikev2.xmll has the same content as the file "legacy_ikev2.xmll", at least for Troubleshooting????

I can use any of the 2 without any problem?

Greetings.

0 Kudos
just13pro
Collaborator

I believe they are different, legacy_ike2.xmll is phase 1 for IKEv2.

You can use IKEView to open the file search the SK for the IKEView software. 

the_rock
Legend
Legend

Thats sounds right.

0 Kudos
genisis__
Leader Leader
Leader

Not sure this relates, but could this be related to IKEv2 narrowing?

If you do a 'vpn tu tlist' it should show the tunnels;  your looking for the wording 'narrow' or 'eclipsed'.

See:  https://support.checkpoint.com/results/sk/sk166417

0 Kudos
CheckPointerXL
Advisor
Advisor

Hi all,

i'm experience the same problem on R81.10 T79 with third-party peers:

peersa.JPG

 

not all traffic inside vpn is affected

 

Moreover, i have this drops:

peersa1.JPG

Moreover, i tried to clean tunnel information by vpn tu but the command is so bad, information continues to be shown in vpn tu tlist, and i suspect that still they are there traffic is affected
i tried to clean some tables, meta_sas, local_meta_sas, ikesa_out_spi, but no way on how to delete a single entry

0 Kudos
the_rock
Legend
Legend

Is it all 3rd party peers or just random ones? Can you give an example...any logs, screenshot?

Cheers,

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor

just updated the post, sorry lost some information after the publish

0 Kudos
the_rock
Legend
Legend

What version are you on?

0 Kudos
CheckPointerXL
Advisor
Advisor

Like i said i'm on  R81.10 T79 

the_rock
Legend
Legend

Sorry mate, missed that, my bad. I have R81.20 lab with few tunnels, so let me do some digging and see if the issue is there. Is this something new that happened or how long has it been a problem?

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor

new installation, the customer started to move VPNs from another device

0 Kudos
the_rock
Legend
Legend

Maybe if you can give exact commands you ran, I will verify in the lab...so far, dont see any issues like that.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor

fw tab -t ikesa_out_spi -x -e (allvaluedisplayed  in      fw tab -t ikesa_out_spi )

0 Kudos
the_rock
Legend
Legend

I dont see any errors when running those.

0 Kudos
WhoNeedsFWs
Explorer

Did you ever resolve the instability challenges between Prisma Cloud and your Checkpoint gateway? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events