Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

What is wrong if VPN fails on P2/QM Pkt2

Hi Team,

Again while building a tunnel with checkpoint and I have NAT involved. My P1 has come up instantly while for p2 it fails on QM PKT2. If Pkt 2 I guess peers are not negotiating on encryption domains. Though from configuration

ipsecfailure.JPGperspective everything looks ok.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
6 Replies
Timothy_Hall
Champion
Champion

What type of box is the VPN peer?

It could be an issue with PFS due to the presence of the Nonce, try disabling it on both sides and see if that helps as this can sometimes cause interoperability issues.

The next thing to check is the Proxy-ID/subnets (ID fields) and that they match between the two peers, some remote VPN peers are far more picky than others about what they will accept in that field.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

@Timothy_Hall Is correct, as always. I can tell you from personal experience, 100% of the time when it fails on QM, packet 2, its always to do with vpn domains. Im not saying there are cases where something else is not the issue, but most likely its proxy ID/subnets, as Tim stated. What is the other side of the tunnel (Cisco, Fortinet, PAN, something else?

Andy

0 Kudos
Blason_R
Leader
Leader

Yes - Even I agree and to my surprise when I inquired with the peer its Check Point R80.40. They are natting as well from their end. Vpn tu shows p1 and p2 are up.

And we even receive the packets on our internal interface from remote end; can see the packets goes out. zdebug shows no drops

Still PINGs are not going through.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

Ok, so in that case below would most likely not apply, since its cp to cp

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Silly question, but did you make sure that when you open gateway object, the right VPN domain is used for that vpn tunnel? If you run tcpdump -nni any host x.x.x.x (other vpn side external IP) and proto 50...do you see anything? By the way, how do you have other gateway configured? Since its also cp, is it set as externally managed gateway or interoperable object? Just curious, though technically, I set it up for people before either way and worked fine.

Andy

0 Kudos
Blason_R
Leader
Leader

That was set as Interoperable device. Do you think externally managed CP would help? Well packet capture for port 500 does show and since I am seeing P1 and P2 are up I believe proto 50 must be flowing through, correct?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

I think it would help, yes. It worked twice for me when I was helping customers with this scenario. Yea, based on what you said, its most likely proto 50 would work, but I would still confirm 100%.

Happy holidays!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events