CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Page 2 of 2 FirstFirst 12
Results 21 to 32 of 32

Thread: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

  1. #21
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,088
    Rep Power
    12

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by laf_c View Post
    I had today 90' remote session with Fortinet TAC. After getting rid of Level1 this engineer performed a full head to tail scenario inspection just in case I missed something like interface line rate, BW overutilization, etc.

    They are to review the case and find out what's behind that SPI delete phase.
    I ll keep you posted.

    L.E. one quick question: how can I stamp each drop message with the exact date and time?

    [Expert@MACH-001C:0]# fw ctl zdebug + drop | grep 172.17.13


    ;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=6 172.17.125.25:2000 -> 172.17.132.232:52008 dropped by vpn_encrypt_chain Reason: No error;
    ;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=6 172.17.125.25:2000 -> 172.17.132.235:49812 dropped by vpn_encrypt_chain Reason: No error;


    I'd like to have the time next to each error message. Is this possible?
    I don't think zdebug itself can print timestamps. So either you could do a full debug with the drop flag (fw ctl debug 0; fw ctl debug -buf 32000; fw ctl debug -m fw + drop; fw ctl kdebug -T -f > blah.txt) which would definitely give you timestamps, but they will be from when kdebug empties them from the buffer not when they are actually written into the buffer by the fw module. Or you could try just running the kdebug like this while the fw ctl zdebug is already running and see what happens, not sure if it can empty the same buffer invoked by zdebug for you but with timestamps...

    fw ctl kdebug -T -f
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  2. #22
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by laf_c View Post
    I had today 90' remote session with Fortinet TAC. After getting rid of Level1 this engineer performed a full head to tail scenario inspection just in case I missed something like interface line rate, BW overutilization, etc.

    They are to review the case and find out what's behind that SPI delete phase.
    I ll keep you posted.

    L.E. one quick question: how can I stamp each drop message with the exact date and time?

    [Expert@MACH-001C:0]# fw ctl zdebug + drop | grep 172.17.13


    ;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=6 172.17.125.25:2000 -> 172.17.132.232:52008 dropped by vpn_encrypt_chain Reason: No error;
    ;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=6 172.17.125.25:2000 -> 172.17.132.235:49812 dropped by vpn_encrypt_chain Reason: No error;


    I'd like to have the time next to each error message. Is this possible?
    With beer!! Yes larger!! Err... no wait ..I mean logger

    fw ctl zdebug drop | grep --line-buffered | logger &
    disown

    It should run forever until you kill the fw ctl zdebug.

    Will be sent to syslog.
    Last edited by jflemingeds; 2017-10-30 at 19:30.

  3. #23
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by ShadowPeak.com View Post
    I don't think zdebug itself can print timestamps. So either you could do a full debug with the drop flag (fw ctl debug 0; fw ctl debug -buf 32000; fw ctl debug -m fw + drop; fw ctl kdebug -T -f > blah.txt) which would definitely give you timestamps, but they will be from when kdebug empties them from the buffer not when they are actually written into the buffer by the fw module. Or you could try just running the kdebug like this while the fw ctl zdebug is already running and see what happens, not sure if it can empty the same buffer invoked by zdebug for you but with timestamps...

    fw ctl kdebug -T -f
    On R77.30, at least, you can use '-T' with zdebug. I don't think it worked with R77 base.

    Code:
    [Expert@zimmieFW1 Active]# fw ver
    This is Check Point's software version R77.30 - Build 137
    [Expert@zimmieFW1 Active]# installed_jumbo_take
    R77.30 Jumbo Hotfix Accumulator take_159 is installed, see sk106162.
    [Expert@zimmieFW1 Active]# fw ctl zdebug -T drop
    [blah blah blah]
    ;31Oct2017 17:31:52.516211;[cpu_5];[fw4_14];fw_log_drop_ex: Packet proto=17 [some IP]:1985 -> 224.0.0.2:1985 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 484;
    ;31Oct2017 17:31:52.537707;[cpu_16];[fw4_3];fw_log_drop_ex: Packet proto=17 [some IP]:1985 -> 224.0.0.2:1985 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 484;
    Zimmie

  4. #24
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,088
    Rep Power
    12

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by Bob_Zimmerman View Post
    On R77.30, at least, you can use '-T' with zdebug. I don't think it worked with R77 base.

    Code:
    [Expert@zimmieFW1 Active]# fw ver
    This is Check Point's software version R77.30 - Build 137
    [Expert@zimmieFW1 Active]# installed_jumbo_take
    R77.30 Jumbo Hotfix Accumulator take_159 is installed, see sk106162.
    [Expert@zimmieFW1 Active]# fw ctl zdebug -T drop
    [blah blah blah]
    ;31Oct2017 17:31:52.516211;[cpu_5];[fw4_14];fw_log_drop_ex: Packet proto=17 [some IP]:1985 -> 224.0.0.2:1985 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 484;
    ;31Oct2017 17:31:52.537707;[cpu_16];[fw4_3];fw_log_drop_ex: Packet proto=17 [some IP]:1985 -> 224.0.0.2:1985 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 484;
    Thanks for the tip, I remember trying to get zdebug to output timestamps at some point in the past and failing. Pretty sure that attempt was for a release older than R77.30 though.
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  5. #25
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by Bob_Zimmerman View Post
    On R77.30, at least, you can use '-T' with zdebug. I don't think it worked with R77 base.

    Code:
    [Expert@zimmieFW1 Active]# fw ver
    This is Check Point's software version R77.30 - Build 137
    [Expert@zimmieFW1 Active]# installed_jumbo_take
    R77.30 Jumbo Hotfix Accumulator take_159 is installed, see sk106162.
    [Expert@zimmieFW1 Active]# fw ctl zdebug -T drop
    [blah blah blah]
    ;31Oct2017 17:31:52.516211;[cpu_5];[fw4_14];fw_log_drop_ex: Packet proto=17 [some IP]:1985 -> 224.0.0.2:1985 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 484;
    ;31Oct2017 17:31:52.537707;[cpu_16];[fw4_3];fw_log_drop_ex: Packet proto=17 [some IP]:1985 -> 224.0.0.2:1985 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 484;
    This is gold, thank you sir!

  6. #26
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by ShadowPeak.com View Post
    Thanks for the tip, I remember trying to get zdebug to output timestamps at some point in the past and failing. Pretty sure that attempt was for a release older than R77.30 though.
    Quote Originally Posted by laf_c View Post
    This is gold, thank you sir!
    I know, right? I was so happy to find that out. With an fw monitor, a zdebug drop, and a good understanding of how to read them, I could solve around 70% of calls in the TAC. Add in IKE debug and it's more like 95%. zdebug was always the most limited of the three due to the lack of timestamps.
    Zimmie

  7. #27
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by ShadowPeak.com View Post
    Not a bad idea to try enabling it at least, since the Fortigate is asking for it in IKE Phase 1 packet 1. Having DPD active can help correct certain situations and this might be one of them.



    Yes, give that a try. Unlikely to help but needs to be ruled out.

    Also check out the ike_keep_child_sa_interop_devices variable as mentioned in sk108600, sounds a lot like your situation.
    Fortinet came back to me today, suggest to enable DPD on both sides.

    I read sk97746, but I honestly missed the point: since Fortinet does send DPD messages is it enough to enable DPD responder mode on CP side?
    If yes, I read I have to run [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1. Now since CP gateway holds about 30+ tunnels is this setting going to affect all tunnels?
    Did anyone run it and experienced any side effects on other tunnels?

    So my 1st question: what's the recommended method to enable DPD on CP in regard with Fortinet aka 3rd party VPN? Is it by enabling DPD responder method?

    2nd point: about ike_keep_child_sa_interop_devices - I went to the specific cluster object and could not find it. Is this possible, or am I missing something here?

  8. #28
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    After 4 months of continuous site-to-site packet loss I see the light on this.
    CP support needed about 9 weeks to be able to say that: partner VPN endpoint is deleting SPIs hence the degradation of service.
    Fortinet support also needed about 6 weeks to come up with a solution for this: set mesh-selector-type subnet.

    Full CLI Fortinet description:

    mesh-selector-type {disable | subnet | host}
    Note: This entry is only available when ike-version is set to 1. Disable (by default) or set dynamic mesh
    selectors for IKEv1 VPNs to either subnet or host. Note that dynamic selectors are not saved to the
    configuration and will be removed when tunnels are flushed.
    l Use subnet to install selector for the address group that matches traffic packets.
    l Use host to install selector for the source and destination IP addresses of traffic packets.


    And here is the full KB explanation (no registration required): http://kb.fortinet.com/kb/microsites...00%20120846097

    I am glad it's done, I am sad it took that much time.

  9. #29
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    So does that mean that normal setting for Vpn tunnel on fortinet is 0.0.0.0/0 for proxy id and you changed from that default to something like Vpn tunnel per subnet pair?

  10. #30
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by jflemingeds View Post
    So does that mean that normal setting for Vpn tunnel on fortinet is 0.0.0.0/0 for proxy id and you changed from that default to something like Vpn tunnel per subnet pair?
    First time you build Phase2, if you make no change you end up with 0.0.0.0/0 as proxy ID. If I do IPSEC with another Fortigate I usually leave it like this as I always use route-based tunnels.
    Now with a 3rd party vendor I create an object for every network then bundle up objects into address-groups. Finally I use address groups on the Phase2 settings.

  11. #31
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,088
    Rep Power
    12

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by laf_c View Post
    After 4 months of continuous site-to-site packet loss I see the light on this.
    CP support needed about 9 weeks to be able to say that: partner VPN endpoint is deleting SPIs hence the degradation of service.
    Fortinet support also needed about 6 weeks to come up with a solution for this: set mesh-selector-type subnet.

    Full CLI Fortinet description:

    mesh-selector-type {disable | subnet | host}
    Note: This entry is only available when ike-version is set to 1. Disable (by default) or set dynamic mesh
    selectors for IKEv1 VPNs to either subnet or host. Note that dynamic selectors are not saved to the
    configuration and will be removed when tunnels are flushed.
    l Use subnet to install selector for the address group that matches traffic packets.
    l Use host to install selector for the source and destination IP addresses of traffic packets.


    And here is the full KB explanation (no registration required): http://kb.fortinet.com/kb/microsites...00%20120846097

    I am glad it's done, I am sad it took that much time.
    So the Fortinet by default will try to roll-up/aggregate multiple Phase 2 tunnels into a 0.0.0.0/0 universal tunnel and that's why it was deleting the SAs. As I mentioned above it must try to do this when you hit 5 different tunneling combinations (unless you change the mesh selector), and I was theorizing earlier that this was some kind of limit but it is just this Fortinet default behavior.

    Thanks for the followup.
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  12. #32
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Quote Originally Posted by ShadowPeak.com View Post
    So the Fortinet by default will try to roll-up/aggregate multiple Phase 2 tunnels into a 0.0.0.0/0 universal tunnel and that's why it was deleting the SAs. As I mentioned above it must try to do this when you hit 5 different tunneling combinations (unless you change the mesh selector), and I was theorizing earlier that this was some kind of limit but it is just this Fortinet default behavior.

    Thanks for the followup.
    Actually it doesn't sumup to 0.0.0.0/0 but to only the group of subnets I setup as either source or dst.
    Still the way it deals with them when building the SPI differs. I ll ask Fortinet TAC support for additional info and let you know.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Ipsec VPN with fortigate
    By ranga1983 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2017-05-15, 02:16
  2. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  3. Checkpoint to Fortigate IPSec VPN
    By roscop2011 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2011-04-05, 21:45
  4. VPN tunnel between Checkpoint and Racoon with IPSec
    By iutgtr in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2011-04-03, 03:34
  5. Replies: 4
    Last Post: 2011-03-31, 17:21

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •