AnsweredAssumed Answered

VPN & fwconn_key_init_links (OUTBOUND) failed

Question asked by Benoit Verove on Nov 27, 2018
Latest reply on Dec 11, 2018 by Benoit Verove

Hi Checkmates,

 

We are working on a migration project and we are facing a strange issue.

The architecture is quite simple :

- Cluster of 5800 appliances, R80.10 + jumbo 154

- Management is a R80.10 VM.

 

Everything seems fine except VPN. Only 4 VPN amongs 7 are working. Not always the same, but never more than 4.

For the failed VPNs, we've discovered that outgoing IKE packet are dropped by the active member :

 

;[cpu_7];[fw4_0];fw_log_drop_ex: Packet proto=17 a.a.a.a:500 -> b.b.b.b:500 dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

 

a.a.a.a : cluster IP

b.b.b.b : peer IP

 

We have contacted the TAC and they've collected multiples captures. For now, nobody seems to be able to explain why the gateway drops its own IKE packets.

 

According to TAC, sk124732 doesn't applied.

 

If anyone knows what "fwconn_key_init_links (OUTBOUND) failed" could means ...

 

Thanks for your help !

Outcomes