VPN traffic getting blocked

faheb1 · ‎2022-08-18

HI
Im getting this problem,

Source: Print Server(172.20.15.52)

Dest: Printer(192.168.15.210)

Src and Dst are under a Site to site VPN.

I have checked the logs. I have attached the logs. What might be the issue ?

there are other log which seeems to be allowed check 4.log image

Firewall: Checkpoint SMB Appliance 910

Firemware: R77.30

Piet_vd_Maas · ‎2022-08-19

2.logs.png shows an IKE failure.

Is other traffic working trough that VPN tunnel?

CCSM Elite

faheb1 · ‎2022-08-19

I have seen one log that icmp/ping is working. but cant find the log now.

Besides, Log4 image shows that some traffic is flowing. however, majority is getting block for that destination. What should i check ? recently the PeerGateway ip was changed. after that we are having this problem. My client tried traceroute from his ip

Source: 172.20.15.76

Fw LAN : 192.168.50.54 (Form Core Switch)

C:\Users\scanpp>tracert 192.168.15.210

Tracing route to 192.168.15.210 over a maximum of 30 hops

1 1 ms 2 ms 1 ms 172.20.15.1
2 <1 ms * * 172.20.15.2 (Core Switch)
3 <1 ms <1 ms <1 ms 192.168.50.54 --- FW
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12

faheb1 · ‎2022-08-19

[Expert@ScanConnectFW02]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

4

Enter IP of peer (format: xxx.xxx.xxx.xxx): A.A.A.A

Peer A.A.A.A SAs:

1. SPI's related to IKE SA <20012e163a402797,684343b0201ad46e>:

2. SPI's related to IKE SA <24e22e54dfdc23ea,74aa4a4a736e535f>:

3. SPI's related to IKE SA <d27a77ee1af9ceda,73239d6b0a6514c3>:

4. SPI's related to IKE SA <72b61a621efe15d6,26f908e01a73194f>:

Hit <Enter> key to continue ...

AndréTinoco · ‎2022-08-19

Phase2 doesn't seem to be completed. Can you check logs between the two public addresses (of the vpn peers) to see the VPN negotiation?

Confirm the P2 configuration on both sides and confirm the networks are also the same on both sides. Also confirm you have security rules on your side for that traffic.

Piet_vd_Maas · ‎2022-08-22

Is your issue solved?

CCSM Elite

faheb1 · ‎2022-08-22

I have used Ikeview and found that Phase-1(P1 Main mode) ok but Phase2 QM Packet-1 has errors. I have asked the remote Gateway admin to share the config. Need to cross check if there are any changes in their side config.

Can someone tell me Why Egress traffic are failing but Ingress traffic is getting in ??

the_rock · ‎2022-08-22

Phase 2 is in my experience always an issue with vpn domains not being presented properly or supernatting. Make sure that remote gateway interoperable object is set with right encryption domain.

Best,
Andy

Piet_vd_Maas · ‎2022-08-22

Sounds like a routing issue indeed. @faheb1 you also mentioned the issues started after a IP change of the peer gateway.

CCSM Elite

faheb1 · ‎2022-08-23

Hi

Checked the routing. Found a problem . It seems like a typo. I have fixed it. Need to check it tomorrow by client. VPN shows up. I will let you know the result.

Are you a member of CheckMates?

VPN traffic getting blocked