This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2021-12-15 09:04 AM

Weird issue with VPN tunnel - Return traffic is getting dropped with earlyDrop

Hi Team,

I am facing this weird issue with VPN tunnel. I have VPN tunnel configured with CISCO Router and I am natting the traffic from checkpoint end. e.g.

CP Enc dom - 172.16.31.0/24

remote end dom - 10.122.0.0/24

Hide NAT IP: 10.100.0.3 (H)

 

Tunnel comes up and I see P1 and P2 both are up however I am not able to telnet to the destination server IP on desired port while in tracker it shows as below

What I noticed that retrun traffic of same traffic is getting dropped by firewall blade however forward traffic is properly getting encrypted and being forwarded however return as I said is getting dropped with below error.

@;3490569964;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.122.0.10:80 -> 10.100.0.3:43499 dropped by fw_send_log_drop Reason: Rulebase drop - dropped due to 'drop optimization';

Then I disabled vpn accel off as well as fwaccel off but still no issue persists.

fw ctl zdebug + drop | grep 10.100.0.3

@;3713639651;[kern];[tid_0];[SIM-206028253];handle_vpn_encryption: silently dropping for F2F reasons: failed to find link, conn: <10.100.0.3,43499,10.122.0.10,80,6>;

@;3713639651;[kern];[tid_0];[SIM-206028253];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.100.0.3,43499,10.122.0.10,80,6>;

@;3713639669;[kern];[tid_0];[SIM-206028253];handle_vpn_encryption: silently dropping for F2F reasons: failed to find link, conn: <10.100.0.3,43499,10.122.0.10,80,6>;

@;3713639669;[kern];[tid_0];[SIM-206028253];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.100.0.3,43499,10.122.0.10,80,6>;

TIA

Blason R

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
7 Replies
the_rock
Legend
Legend
‎2021-12-15 09:11 AM

What do you see if you do vpn debug? What does ike.elg show? Where exactly does it fail, MM or QM?

0 Kudos
Blason_R
Leader
Leader
‎2021-12-15 09:16 AM
In response to the_rock

Nope I believe you misread it - My entire tunnel is up with P1 as well as P2. However when I send the traffic one way traffic is passed however in tracekr I see the return traffic of same path is getting blocked e.g

OS 172.16.31.10 

OD 10.122.0.10

XS 10.100.0.3

OSPort: 45852

ODport: 80

Action Encrypt

 

******************

Return

10.122.0.10

10.100.0.3

Odport: 45852

Osport: 80

getting dropped with CPEarly Drop and fw ctl zdebug shows

@;3490569964;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.122.0.10:80 -> 10.100.0.3:43499 dropped by fw_send_log_drop Reason: Rulebase drop - dropped due to 'drop optimization';

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2021-12-15 09:18 AM
In response to Blason_R

Apologies for that. Ok, if thats the case and vpn accel off failed, try below, worked once for customer I was helping.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Blason_R
Leader
Leader
‎2021-12-15 09:21 AM
In response to the_rock

Again that seems to be very weird to me as to return path of same traffic is getting blocked; this is not a new session opened by peer but a traffic of already initiated traffic.

Any way let me try that.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2021-12-15 09:23 AM
In response to Blason_R

I agree with you 100%. We even had TAC case opened for it and thats they gave us with NO logical explanation. I personally hate doing things I dont understand, but customer just wanted to ensure it worked, so thats why they did it.

0 Kudos
Blason_R
Leader
Leader
‎2021-12-15 09:24 AM
In response to the_rock

And that worked??

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2021-12-15 09:25 AM
In response to Blason_R

Yes sir, how, please dont ask me, as I got no clue in the world and sadly, neither did TAC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events