Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkgsingh
Participant

tunnel-test packet drops with Encryption Failure msg and Smart View VPN monitor status down

Hi,

We have setup site-to-site VPN tunnel between two checkpoint gateways R81.10 <----> R80.40 managed by different SMS.

The VPN tunnel is UP when we verify from cli using "vpn tu" and also packets encrypts and decrypts successfully.

However, under Smart View monitor VPN tunnel shows down.

Upon further investigation we found that tunnel-test (UDP/18234) is getting dropped on the responder side with the "Encryption Failure" message as "According to the policy the packet should not have been decrypted"

I have tried to exclude this service under VPN community settings to send this traffic in clear text to see if the Smart View status resolves, but that did not help even the traffic was allowed by Implied rule for tunnel-test (UDP/18234).

This dropping is happening between the public ip's to which VPN is terminating. However, the strange thing I noticed was that on the drop message under VPN peer gateway details the IP that was showed was VIP, and under the Traffic actual source was shown as actual Physical ip of the external interface from the Active Node ( as both checkpoints are currently running in cluster active/passive state).

Any TIP's to resolve this would be good.

For Eg. Attaching a screen shot with some random IP's to explain.

R81 -
50.13.13.25 (VIP) - Peer IP

R80.40 -
200.10.10.51 (VIP) - Peer IP
200.10.10.50 (Active Node Interface IP)  -- Seeing Drops from as Source

 
 

Thank You,

 

 

0 Kudos
1 Reply
Chris_Atkinson
Employee Employee
Employee

From R81 and above we changed the default tunnel test type for interoperable device objects to DPD whereas in R80.40 it was different. You may have to align both sides, refer: sk108600 (Scenario 5). 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events