This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Florian_Schneid
Participant
‎2021-06-28 03:25 AM
Jump to solution

could someone advice me how to determine the value for "ipsec.replay_counter_window_size"

Hi,
could someone direct me how I can adjust the setting to avoid VPN Tunnel termination due to "possible replay attack".

I do have the issue described in sk94984. The issue exists only for one Tunnel. The issue is gone when I disable the replay check. Now I wanted to turn it back on and adjust the window size. In the SK they only say to adjust it to the relevant value.

In the logs I do have the message:

Warning: possible replay attack. Sequence Number 1490945 (Expected 1491179)

Currently I used 1200 as window size but the tunnel is still being terminated.

 

How can I determine / calculate the value? Seem that it isn’t just 1491179-1490945

Thanks

R80.40 T94

0 Kudos
1 Solution

Accepted Solutions
isazonov
Explorer
a month ago
Jump to solution

Response from TAC:

  1. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  2. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

  3. Connect with GuiDBedit Tool to the Security Management Server / Domain Management Server.

  4. In the upper left pane, go to Table - Network Objects - network_objects.

  5. In the upper right pane, select the relevant Security Gateway / Cluster object.

  6. Press CTRL+F (or go to Search menu - Find) - paste ipsec.replay_counter_window_size - click on Find Next.

  7. In the lower pane, right-click on the ipsec.replay_counter_window_size - select Edit... - delete the default value of 64 - enter the relevant value - click on OK.

  8. Save the changes: go to File menu - click on Save All.

  9. Close the GuiDBedit Tool.

  10. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  11. Install the policy onto the relevant Security Gateway / Cluster object.

Keep in mind that the default value is 64, and there is no desired value - you will need to lower or higher it until it reaches the correct value where this issue does not re-appear.

View solution in original post

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-06-28 05:51 AM
Jump to solution

Better use the information found in sk94984: VPN traffic is dropped with "Encryption failure: Warning: possible replay attack" log and involve TAC if this does not help. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Florian_Schneid
Participant
‎2021-06-28 05:59 AM
In response to G_W_Albrecht
Jump to solution

Hi Günter,

as mentioned above I followed the SK94984. But i didn't want to have the reply check disabled in general. So i decided to do the route descibed in the additional part of the SK and adjust the window size. I did adjust it to 1200 the log shows it triggered even it was only 234 as from the logs.

regards

Florian

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-06-28 06:48 AM
In response to Florian_Schneid
Jump to solution

So i would suggest to involve TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
isazonov
Explorer
a month ago
Jump to solution

Response from TAC:

  1. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  2. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

  3. Connect with GuiDBedit Tool to the Security Management Server / Domain Management Server.

  4. In the upper left pane, go to Table - Network Objects - network_objects.

  5. In the upper right pane, select the relevant Security Gateway / Cluster object.

  6. Press CTRL+F (or go to Search menu - Find) - paste ipsec.replay_counter_window_size - click on Find Next.

  7. In the lower pane, right-click on the ipsec.replay_counter_window_size - select Edit... - delete the default value of 64 - enter the relevant value - click on OK.

  8. Save the changes: go to File menu - click on Save All.

  9. Close the GuiDBedit Tool.

  10. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  11. Install the policy onto the relevant Security Gateway / Cluster object.

Keep in mind that the default value is 64, and there is no desired value - you will need to lower or higher it until it reaches the correct value where this issue does not re-appear.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events