This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
checkgsingh
Participant
‎2022-08-31 10:30 PM

tunnel-test packet drops with Encryption Failure msg and Smart View VPN monitor status down

Hi,

We have setup site-to-site VPN tunnel between two checkpoint gateways R81.10 <----> R80.40 managed by different SMS.

The VPN tunnel is UP when we verify from cli using "vpn tu" and also packets encrypts and decrypts successfully.

However, under Smart View monitor VPN tunnel shows down.

Upon further investigation we found that tunnel-test (UDP/18234) is getting dropped on the responder side with the "Encryption Failure" message as "According to the policy the packet should not have been decrypted"

I have tried to exclude this service under VPN community settings to send this traffic in clear text to see if the Smart View status resolves, but that did not help even the traffic was allowed by Implied rule for tunnel-test (UDP/18234).

This dropping is happening between the public ip's to which VPN is terminating. However, the strange thing I noticed was that on the drop message under VPN peer gateway details the IP that was showed was VIP, and under the Traffic actual source was shown as actual Physical ip of the external interface from the Active Node ( as both checkpoints are currently running in cluster active/passive state).

Any TIP's to resolve this would be good.

For Eg. Attaching a screen shot with some random IP's to explain.

R81 -
50.13.13.25 (VIP) - Peer IP

R80.40 -
200.10.10.51 (VIP) - Peer IP
200.10.10.50 (Active Node Interface IP)  -- Seeing Drops from as Source

 
 

Thank You,

 

 

Preview file
65 KB
0 Kudos
1 Reply
Chris_Atkinson
Employee Employee
Employee
‎2022-09-02 01:24 AM

From R81 and above we changed the default tunnel test type for interoperable device objects to DPD whereas in R80.40 it was different. You may have to align both sides, refer: sk108600 (Scenario 5). 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events