AnsweredAssumed Answered

vpn issue since R80.10 - Check Point to Fortigate (behind NAT router)

Question asked by Tom Coussement on Nov 23, 2017
Latest reply on Dec 5, 2017 by Vladimir Yakovlev

We are having problems with some vpn tunnels since we upgraded our firewall gateway to R80.10 (previous R77.30)

More specifically between our Check Point R80.10 gateway and Fortigate gateways that are behind a NAT router.

 

 

Behaviour:

On both firewalls tunnel status is shown as up.

When sending traffic from LAN behind Check Point to LAN behind FortiGate, the traffic arrives at the host behind the FortiGate. The answer is send, can be seen on the FortiGate but doesn't arive at the original sending host.

 

With tcpdump on Check Point we only see syn from src to dst, no ack from dst to src.

No drops between src and dst with fw ctl zdebug + drop

 

We do see drops with fw ctl zdebug + drop for communication between the 2 wan ip addresses

;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 (public ip on NAT router):4500 -> (public ip on Check Point):0 dropped by asm_stateless_verifier Reason: UDP src/dst port 0;

 And after a few of the messages above:

;[cpu_0];[fw4_0];fw_log_drop_conn: Packet <dir 1, (public ip on NAT router):4500 -> (public ip on Check Point):4500 IPP 17>, dropped by do_inbound, Reason: decryption failed;

 

In the logs:

Time: 2017-11-08T13:44:57Z
Interface Direction: inbound
Interface Name: eth2
Id: ac140a8b-8490-5309-5a03-0a598eb10000
Sequencenum: 3
Protection Name: Packet Sanity
Severity: Medium
Confidence Level: High
Protection ID: PacketSanity
Performance Impact: Very Low
Industry Reference: CAN-2002-1071
Protection Type: Protocol Anomaly
Information: Invalid UDP packet - source / destination port 0
Name: Malformed Packet
Source Country: Belgium
Source: (public ip on NAT router)
Source Port: 4500
Destination Country: Belgium
Destination: (public ip on Check Point)
Destination Port: 0
IP Protocol: 17
Action: Drop
Type: Log
Policy Name: Standard_Simplified
Policy Management: firewall
Db Tag: {F56DAD90-0D6A-2D4B-B024-FD57071DC021}
Policy Date: 2017-11-08T13:41:10Z
Blade: Firewall
Origin: xxxxxxxxx
Service: UDP/0
Product Family: Access
Logid: 65537
Marker: @A@@B@1510095600@C@2064729
Log Server Origin: xxx.xxx.xxx.xxx
Orig Log Server Ip: xxx.xxx.xxx.xxx
Inspection Settings Log:true
Lastupdatetime: 1510148697000
Lastupdateseqnum: 3
Rounded Sent Bytes: 0
Rounded Bytes: 0
Stored: true
Rounded Received Bytes: 0
Interface: eth2
Description: UDP/0 Traffic Dropped from (public ip on NAT router) to (public ip on Check Point) due to Invalid UDP packet - source / destination port 0
Profile: Go to profile

 

We opened a ticket with both Check Point & Fortigate but seems like they don't find a sollution and point to each other...

 

I know that a vpn with a firewall behind a NAT router is not the best sollution, certainly for vpn between 2 vendors, so we try to avoid such setups but sometimes there is no other option.

 

Anyone else who experienced such problems with R80.10?

Suggestions?

Outcomes