Hi,
We have setup site-to-site VPN tunnel between two checkpoint gateways R81.10 <----> R80.40 managed by different SMS.
The VPN tunnel is UP when we verify from cli using "vpn tu" and also packets encrypts and decrypts successfully.
However, under Smart View monitor VPN tunnel shows down.
Upon further investigation we found that tunnel-test (UDP/18234) is getting dropped on the responder side with the "Encryption Failure" message as "According to the policy the packet should not have been decrypted"
I have tried to exclude this service under VPN community settings to send this traffic in clear text to see if the Smart View status resolves, but that did not help even the traffic was allowed by Implied rule for tunnel-test (UDP/18234).
This dropping is happening between the public ip's to which VPN is terminating. However, the strange thing I noticed was that on the drop message under VPN peer gateway details the IP that was showed was VIP, and under the Traffic actual source was shown as actual Physical ip of the external interface from the Active Node ( as both checkpoints are currently running in cluster active/passive state).
Any TIP's to resolve this would be good.
For Eg. Attaching a screen shot with some random IP's to explain.
R81 -
50.13.13.25 (VIP) - Peer IP
R80.40 -
200.10.10.51 (VIP) - Peer IP
200.10.10.50 (Active Node Interface IP) -- Seeing Drops from as Source
Thank You,