Re: Weird issue with VPN tunnel - Return traffic i...

Blason_R · ‎2021-12-15

Hi Team,

I am facing this weird issue with VPN tunnel. I have VPN tunnel configured with CISCO Router and I am natting the traffic from checkpoint end. e.g.

CP Enc dom - 172.16.31.0/24

remote end dom - 10.122.0.0/24

Hide NAT IP: 10.100.0.3 (H)

Tunnel comes up and I see P1 and P2 both are up however I am not able to telnet to the destination server IP on desired port while in tracker it shows as below

What I noticed that retrun traffic of same traffic is getting dropped by firewall blade however forward traffic is properly getting encrypted and being forwarded however return as I said is getting dropped with below error.

@;3490569964;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.122.0.10:80 -> 10.100.0.3:43499 dropped by fw_send_log_drop Reason: Rulebase drop - dropped due to 'drop optimization';

Then I disabled vpn accel off as well as fwaccel off but still no issue persists.

fw ctl zdebug + drop | grep 10.100.0.3

@;3713639651;[kern];[tid_0];[SIM-206028253];handle_vpn_encryption: silently dropping for F2F reasons: failed to find link, conn: <10.100.0.3,43499,10.122.0.10,80,6>;

@;3713639651;[kern];[tid_0];[SIM-206028253];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.100.0.3,43499,10.122.0.10,80,6>;

@;3713639669;[kern];[tid_0];[SIM-206028253];handle_vpn_encryption: silently dropping for F2F reasons: failed to find link, conn: <10.100.0.3,43499,10.122.0.10,80,6>;

@;3713639669;[kern];[tid_0];[SIM-206028253];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.100.0.3,43499,10.122.0.10,80,6>;

TIA

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2021-12-15

What do you see if you do vpn debug? What does ike.elg show? Where exactly does it fail, MM or QM?

Blason_R · ‎2021-12-15

Nope I believe you misread it - My entire tunnel is up with P1 as well as P2. However when I send the traffic one way traffic is passed however in tracekr I see the return traffic of same path is getting blocked e.g

OS 172.16.31.10

OD 10.122.0.10

XS 10.100.0.3

OSPort: 45852

ODport: 80

Action Encrypt

******************

Return

10.122.0.10

10.100.0.3

Odport: 45852

Osport: 80

getting dropped with CPEarly Drop and fw ctl zdebug shows

@;3490569964;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.122.0.10:80 -> 10.100.0.3:43499 dropped by fw_send_log_drop Reason: Rulebase drop - dropped due to 'drop optimization';

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2021-12-15

Apologies for that. Ok, if thats the case and vpn accel off failed, try below, worked once for customer I was helping.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Blason_R · ‎2021-12-15

Again that seems to be very weird to me as to return path of same traffic is getting blocked; this is not a new session opened by peer but a traffic of already initiated traffic.

Any way let me try that.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2021-12-15

I agree with you 100%. We even had TAC case opened for it and thats they gave us with NO logical explanation. I personally hate doing things I dont understand, but customer just wanted to ensure it worked, so thats why they did it.

Blason_R · ‎2021-12-15

And that worked??

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2021-12-15

Yes sir, how, please dont ask me, as I got no clue in the world and sadly, neither did TAC

Are you a member of CheckMates?

Weird issue with VPN tunnel - Return traffic is getting dropped with earlyDrop