Create a Post
Showing results for 
Search instead for 
Did you mean: 

tunnel-test packet drops with Encryption Failure msg and Smart View VPN monitor status down


We have setup site-to-site VPN tunnel between two checkpoint gateways R81.10 <----> R80.40 managed by different SMS.

The VPN tunnel is UP when we verify from cli using "vpn tu" and also packets encrypts and decrypts successfully.

However, under Smart View monitor VPN tunnel shows down.

Upon further investigation we found that tunnel-test (UDP/18234) is getting dropped on the responder side with the "Encryption Failure" message as "According to the policy the packet should not have been decrypted"

I have tried to exclude this service under VPN community settings to send this traffic in clear text to see if the Smart View status resolves, but that did not help even the traffic was allowed by Implied rule for tunnel-test (UDP/18234).

This dropping is happening between the public ip's to which VPN is terminating. However, the strange thing I noticed was that on the drop message under VPN peer gateway details the IP that was showed was VIP, and under the Traffic actual source was shown as actual Physical ip of the external interface from the Active Node ( as both checkpoints are currently running in cluster active/passive state).

Any TIP's to resolve this would be good.

For Eg. Attaching a screen shot with some random IP's to explain.

R81 - (VIP) - Peer IP

R80.40 - (VIP) - Peer IP (Active Node Interface IP)  -- Seeing Drops from as Source


Thank You,



0 Kudos
1 Reply
Employee Employee

From R81 and above we changed the default tunnel test type for interoperable device objects to DPD whereas in R80.40 it was different. You may have to align both sides, refer: sk108600 (Scenario 5). 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events