AnsweredAssumed Answered

Does upgrading to R80.10 result in IPsec is failed

Question asked by Gary Lai on Apr 30, 2018
Latest reply on May 1, 2018 by Xavier Bensemhoun

Dear Everyone,

I have two CP15600 GWs (made high availability) and one VM (SMS).

Last month I upgraded  R77.30 SMS to R80.10 (I upgraded using "Upgrade")

However, the status of the HA often changes. (active and standby)
In the Standby Status,"Standby"GW cannot ping 8.8.8.8 and cws.checkpoint.tw and other websites but can ping sync ip and VIP(HA)
In the Active Status, "active" of GW can ping 8.8.8.8 and cws.checkpoint.tw and sync ip and other websites, but you cannot ping VIP (HA).

The same is true when the status of GW changes.

As the status changes, Error will change, Standby's Error is as follows

 

In addition, I found that IPsec cannot be used and cannot establish a connection with the peer.

I tried some troubleshooting methods as follows.

1.sk83520 how to check connectivity to CP  Confirm that the problem is not a cloud connection.

2. sk97587 https://www.51sec.org/2015/07/checkpoint-standby-cluster-member-interface-not-reachable/     "invalid"

3. sk19423  Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database fo… Select the 'Enable back connections' options.                                                "invalid" 

4.https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/137002

about   offer_nat_t_initator (False-->True)   "invalid"

5.SK40187 "Packet is dropped because there is no valid SA" log when Cluster drops packets  "invalid"

6.Vpn tu (7)Delete all IPsec+IKE SAs for a given peer  "invalid"

 

Yesterday, I changed phase2 AES256 to AES128.Error disappeared(Only "active"GW disappear),

but I still can't connect to the peer.

Currently, SA (only one data) can be seen in all IKE SAs listed in GW1&GW2 VPN tu(1), but sometimes it exists and sometimes does not exist.

 

I do not know what to do. Rebuild IPsec or Client Tunnel? (PS: peer device is CISCO)

Thank you all !

   

 

Outcomes