CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 7 of 7

Thread: Post-Outbound (VPN Encrypt)

  1. #1
    Join Date
    2015-10-26
    Posts
    7
    Rep Power
    0

    Default Post-Outbound (VPN Encrypt)

    Hello Experts,

    May I ask for your help about an issue that I have? I used to have SmartTracking enabled but now it doesn't track correctly (bigger problems, but later on that. )
    I am now only using fw monitor as my guide on trying to figure out why certain networks in our LAN cannot access a resource at the other end of an IPSec Tunnel.

    Here's what I got (I'm no expert to fw monitor just about 2 days of using this)
    HTML Code:
    fw monitor -p all -e 'accept host(10.55.81.8);'
    Packet seems to be good up until VPN Encrypt.
    HTML Code:
    [fw_0] eth1:o7 (fw VM outbound)[52]: 10.39.11.212 -> 10.55.81.8 (TCP) len=52 id=26990
    TCP: 61197 -> 2121 .S.... seq=6ef9d83c ack=00000000
    [fw_0] eth1:O9 (vpn policy outbound)[52]: 10.39.11.212 -> 10.55.81.8 (TCP) len=52 id=26990
    TCP: 61197 -> 2121 .S.... seq=6ef9d83c ack=00000000
    [fw_0] eth1:O10 (SecureXL outbound)[52]: 10.39.11.212 -> 10.55.81.8 (TCP) len=52 id=26990
    TCP: 61197 -> 2121 .S.... seq=6ef9d83c ack=00000000
    [fw_0] eth1:O11 (l2tp outbound)[52]: 10.39.11.212 -> 10.55.81.8 (TCP) len=52 id=26990
    TCP: 61197 -> 2121 .S.... seq=6ef9d83c ack=00000000
    [fw_0] eth1:O12 (vpn encrypt)[52]: 10.39.11.212 -> 10.55.81.8 (TCP) len=52 id=26990
    TCP: 61197 -> 2121 .S.... seq=6ef9d83c ack=00000000
    [fw_0] eth1:i0 (tcpt inbound)[52]: 10.39.11.212 -> 10.55.81.8 (TCP) len=52 id=26997
    As you can see, there is no entry Post-Outbound (VPN Encrypt) and the retries to Pre-Inbound (TCPT Inbound).



    Here's what I got on a network that CAN access the resource on the other end of the tunnel:
    HTML Code:
    [fw_0] eth1:o7 (fw VM outbound)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O9 (vpn policy outbound)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O10 (SecureXL outbound)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O11 (l2tp outbound)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O12 (vpn encrypt)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O13 (RTM packet out)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O14 (tcpt outbound)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O15 (fw accounting outbound)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O16 (TCP streaming post VM)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O17 (IP Options Restore (out))[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    [fw_0] eth1:O18 (Chain End)[69]: 10.55.81.8 -> 10.188.128.27 (TCP) len=69 id=14359
    TCP: 2121 -> 51331 ...PA. seq=e45c2462 ack=90b2b2da
    Packet goes all the way to O18 (Chain End), unlike the output from above.
    Something in that VPN Process is stopping this traffic to be processed outbound.

    Checkpoint R75.40
    Cluster configuration

    Any advice on this issue is greatly appreciated. Thank you.

    Regards,
    Jemel

  2. #2
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    7

    Default Re: Post-Outbound (VPN Encrypt)

    the easiest way to figure out whats happening is to perform a vpn debug to see which packet the failure is occurring on, i would run an fw monitor along with a vpn debug and that way you get a clear packet level view of whats happening..make sure you disable acceleration beforehand

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    16

    Default Re: Post-Outbound (VPN Encrypt)

    If the traffic is truly getting eaten by the vpn_encrypt module you need to run a "fw ctl zdebug drop" then try the traffic that is not working to see why it is discarded. There is probably some kind of error getting logged about this (although you say logging is not working), but the zdebug will show you what is happening regardless of logging. Also are you using simplified VPN setup mode (VPN column present in the rulebase) or traditional (no VPN column but Encrypt actions in the rulebase)?
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2015-10-26
    Posts
    7
    Rep Power
    0

    Default Re: Post-Outbound (VPN Encrypt)

    Quote Originally Posted by ShadowPeak.com View Post
    If the traffic is truly getting eaten by the vpn_encrypt module you need to run a "fw ctl zdebug drop" then try the traffic that is not working to see why it is discarded. There is probably some kind of error getting logged about this (although you say logging is not working), but the zdebug will show you what is happening regardless of logging. Also are you using simplified VPN setup mode (VPN column present in the rulebase) or traditional (no VPN column but Encrypt actions in the rulebase)?
    Thank you for this input ShadowPeak. I am in the right track in figuring this out. This lead me to probably the reason why my traffic is being dropped.

    https://supportcenter.checkpoint.com...tionid=sk44576

    HTML Code:
    Symptoms
    VPN tunnel between Security Gateways fails for no apparent reason.
    
    IKE debug (per sk33327) shows a failure on Phase 1 (Main Mode) - Packet 1 is sent to the VPN peer, and VPN peer sends a reply packet. IKE negotiation does not proceed.
    
    Kernel debug ('fw ctl debug -m fw + drop') shows that the reply packet from VPN peer is '...dropped by vpn_encrypt_chain Reason: no reason'.
    
    Configuration in SmartDashboard has been verified for IKE Phase 1 and IKE Phase 2.
    
    Either Traditional VPN, or Simplified VPN mode is used. 
    
    Issue occurs in cluster environment.
    
    Cause
    
    The VPND daemon fails to pass the packet to ClusterXL layer.
    Yes we are running a cluster set-up and 1 firewall member of that cluster is currently down - this is the most probable cause why SmartTracker is not working properly. We are trying to fix this currently.

    Trouble is I have no advanced access. May I ask if this can be resolved with only 1 member of the cluster?

    Once again, thank you! Truly I appreciate it.


    Regards,

    Jemel

  5. #5
    Join Date
    2015-10-26
    Posts
    7
    Rep Power
    0

    Default Re: Post-Outbound (VPN Encrypt)

    Quote Originally Posted by Cory Webb View Post
    the easiest way to figure out whats happening is to perform a vpn debug to see which packet the failure is occurring on, i would run an fw monitor along with a vpn debug and that way you get a clear packet level view of whats happening..make sure you disable acceleration beforehand
    Thank you for this information Cory.

    Will give this a try once, on the next change window. If I may ask, what will be the consideration that I must have when doing such commands in a production environment?


    Regards,
    Jemel

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    16

    Default Re: Post-Outbound (VPN Encrypt)

    Quote Originally Posted by jhimiiiiil View Post
    Thank you for this input ShadowPeak. I am in the right track in figuring this out. This lead me to probably the reason why my traffic is being dropped.

    https://supportcenter.checkpoint.com...tionid=sk44576

    HTML Code:
    Symptoms
    VPN tunnel between Security Gateways fails for no apparent reason.
    
    IKE debug (per sk33327) shows a failure on Phase 1 (Main Mode) - Packet 1 is sent to the VPN peer, and VPN peer sends a reply packet. IKE negotiation does not proceed.
    
    Kernel debug ('fw ctl debug -m fw + drop') shows that the reply packet from VPN peer is '...dropped by vpn_encrypt_chain Reason: no reason'.
    
    Configuration in SmartDashboard has been verified for IKE Phase 1 and IKE Phase 2.
    
    Either Traditional VPN, or Simplified VPN mode is used. 
    
    Issue occurs in cluster environment.
    
    Cause
    
    The VPND daemon fails to pass the packet to ClusterXL layer.
    Yes we are running a cluster set-up and 1 firewall member of that cluster is currently down - this is the most probable cause why SmartTracker is not working properly. We are trying to fix this currently.

    Trouble is I have no advanced access. May I ask if this can be resolved with only 1 member of the cluster?

    Once again, thank you! Truly I appreciate it.


    Regards,

    Jemel

    Hmm lovely, don't think I have run into this before where the link between vpnd and ClusterXL has gotten broken like this. Unfortunately it doesn't look like this can be resolved without an outage as the fix is to run cpconfig, disable cluster membership, reboot the box, run cpconfig again and enable cluster membership and reboot the box. Whether one member of the cluster is down shouldn't matter as far as getting this fixed.
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  7. #7
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    7

    Default Re: Post-Outbound (VPN Encrypt)

    I would run with ShadowPeaks suggestion first...funny enough Ive never seen vpn break because of issues with clusterXL either but like SP said it looks like disabling and re-enabling clustering will resolve the issue

Similar Threads

  1. S2S with different source encrypt domain, same destination encrypt domain?
    By Vico311 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2013-12-03, 12:30
  2. Action: Client Encrypt , how to use?
    By jgrab in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2012-07-08, 02:48
  3. user auth then encrypt-> S2S VPN
    By SpottableJay in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2010-08-16, 12:55
  4. Splat R65 Encrypt VPN
    By leocf in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2010-01-11, 07:42
  5. Should I encrypt secure traffic?
    By menz456 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2008-06-05, 21:11

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •