This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2021-12-22 09:06 PM

What is wrong if VPN fails on P2/QM Pkt2

Hi Team,

Again while building a tunnel with checkpoint and I have NAT involved. My P1 has come up instantly while for p2 it fails on QM PKT2. If Pkt 2 I guess peers are not negotiating on encryption domains. Though from configuration

ipsecfailure.JPGperspective everything looks ok.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
6 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-12-23 07:38 AM

What type of box is the VPN peer?

It could be an issue with PFS due to the presence of the Nonce, try disabling it on both sides and see if that helps as this can sometimes cause interoperability issues.

The next thing to check is the Proxy-ID/subnets (ID fields) and that they match between the two peers, some remote VPN peers are far more picky than others about what they will accept in that field.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
the_rock
Legend
Legend
‎2021-12-23 06:21 PM

@Timothy_Hall Is correct, as always. I can tell you from personal experience, 100% of the time when it fails on QM, packet 2, its always to do with vpn domains. Im not saying there are cases where something else is not the issue, but most likely its proxy ID/subnets, as Tim stated. What is the other side of the tunnel (Cisco, Fortinet, PAN, something else?

Andy

0 Kudos
Blason_R
Leader
Leader
‎2021-12-23 07:05 PM
In response to the_rock

Yes - Even I agree and to my surprise when I inquired with the peer its Check Point R80.40. They are natting as well from their end. Vpn tu shows p1 and p2 are up.

And we even receive the packets on our internal interface from remote end; can see the packets goes out. zdebug shows no drops

Still PINGs are not going through.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2021-12-23 07:12 PM
In response to Blason_R

Ok, so in that case below would most likely not apply, since its cp to cp

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Silly question, but did you make sure that when you open gateway object, the right VPN domain is used for that vpn tunnel? If you run tcpdump -nni any host x.x.x.x (other vpn side external IP) and proto 50...do you see anything? By the way, how do you have other gateway configured? Since its also cp, is it set as externally managed gateway or interoperable object? Just curious, though technically, I set it up for people before either way and worked fine.

Andy

0 Kudos
Blason_R
Leader
Leader
‎2021-12-23 07:36 PM
In response to the_rock

That was set as Interoperable device. Do you think externally managed CP would help? Well packet capture for port 500 does show and since I am seeing P1 and P2 are up I believe proto 50 must be flowing through, correct?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2021-12-23 07:44 PM
In response to Blason_R

I think it would help, yes. It worked twice for me when I was helping customers with this scenario. Yea, based on what you said, its most likely proto 50 would work, but I would still confirm 100%.

Happy holidays!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events