This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ikafka
Collaborator
‎2023-11-17 10:20 AM
Jump to solution

VPN tunnel in Phase-1

Hi,

After upgrading the central firewall to R81.10, the tunnel stays in phase-1. There is status information below.
In some places, it is written that I need to create traffic. Does anyone have any information?

Central FW: version R81.10 Hotfix: 110. Cluster

Branch FW: 1530 appliance, version: R80.20.30 

VPN tunnel monitor log:

Tunnel centralfw<=> sideA
State Up - Phase1
Community sideAVPNSite
Type Regular

From sideA
To centralfw
State Up - Phase1
Peer IP X.X.X.14
Next Hop IP N/A
Interface N/A
Source IP N/A
Link Priority Primary
Prob State N/A
Peer Type Regular
UDP Encapsulation None
MEP participants

 

Thanks for your replying. 

0 Kudos
1 Solution

Accepted Solutions
ikafka
Collaborator
‎2023-11-17 11:36 AM
Jump to solution

Hi,

My problem has solved. I checked all VPN comunity configuration. I see sideA WAN IP address is wrong. when change it true IP address tunnel is connected and status  up.

View solution in original post

5 Replies
the_rock
Legend
Legend
‎2023-11-17 11:06 AM
Jump to solution

Is this configured as permanent tunnel?

Andy

0 Kudos
ikafka
Collaborator
‎2023-11-17 11:36 AM
Jump to solution

Hi,

My problem has solved. I checked all VPN comunity configuration. I see sideA WAN IP address is wrong. when change it true IP address tunnel is connected and status  up.

just13pro
Collaborator
‎2023-11-17 05:39 PM
In response to ikafka
Jump to solution

Kind of strange, after upgrade it is not working.

But after your checking, found out to be wrong configuration?

ikafka
Collaborator
‎2023-11-19 01:49 AM
In response to just13pro
Jump to solution

Hi @just13pro 

Yeah, that is strange. I wrote that it was solved briefly due to workload. I will now give a detailed explanation.

2 months ago, we made an ip change in the region where we used the 1530 series device. After this change, 1530 was reconnected to the central management according to the new WAN IP address (with SIC.)

After so much time passed, we realized that there was no ping from the center to the sideA.  that not only ping but also IP phone etc. nothing works.

When I checked, I saw that it was so, but ping is coming from sideA. When I looked at the logs, I saw these logs.

@;65686661;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=1 10.99.5.20:2048 -> 172.16.0.10:16972 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

When I monitored the tunnel, I saw the above output (tunnel monitoring output). I realized that the tunnel was one-way UP. Then it occurred to me to check the community settings. (I think this was the first thing I should have done. sometimes this happens unfortunately. ) There was no problem with the community settings. When I looked at the 1530 firewall object, I realized that the WAN IP address was different. After changing the WAN IP address to the current one, the tunnel was up.

I don't understand how the tunnel worked for so long and ping, IP phone continued to work. As a result, the process worked like this. as a result, it is a fact that there is a STRANGE situation. or if there is an explanation, if anybody writes and enlightens this situation, I will learn something.

Thanks..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top