CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: Somehow Traffic is not passing through tunnel

  1. #1
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Somehow Traffic is not passing through tunnel

    Hi there,

    I am kindaa facing weird issue and getting clueless. I have two firewalls managed by central management and trying to establish VPN tunnel between them. Mgmt server is natted to enforce policy on Location B.

    Since its a central mgmt Certificate VPN will be used. I see the tunnel is getting up both P1 and P2 are up but traffic not being passed from LOC-A to LOC-B

    Here is my scenario

    Loc-A [ INTERNET-20.30.40.50-192.168.10.1]------------------------LOC-B[40.50.40.60---192.168.30.1]

    Enc dom -LOCA -192.168.10.x/24 & LOC-B 192.168.30.0/24

    I tried capturing packets on LOCA and LOCB internal interfaces..I see packets started from 192.168.10.10 to 192.168.30.30 is reaching till 192.168.30.1 even reply is seen but not observing on 10.1 interface. No drop nothing is observed in Tracker. I see packets are encrypted and getting decrypted. but connectivity is not happening.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by blason View Post
    Hi there,

    I am kindaa facing weird issue and getting clueless. I have two firewalls managed by central management and trying to establish VPN tunnel between them. Mgmt server is natted to enforce policy on Location B.

    Since its a central mgmt Certificate VPN will be used. I see the tunnel is getting up both P1 and P2 are up but traffic not being passed from LOC-A to LOC-B

    Here is my scenario

    Loc-A [ INTERNET-20.30.40.50-192.168.10.1]------------------------LOC-B[40.50.40.60---192.168.30.1]

    Enc dom -LOCA -192.168.10.x/24 & LOC-B 192.168.30.0/24

    I tried capturing packets on LOCA and LOCB internal interfaces..I see packets started from 192.168.10.10 to 192.168.30.30 is reaching till 192.168.30.1 even reply is seen but not observing on 10.1 interface. No drop nothing is observed in Tracker. I see packets are encrypted and getting decrypted. but connectivity is not happening.
    Make sure the "disable NAT" checkbox is set in the VPN Community settings. Are you sure the reply traffic is really arriving back at the internal interface of LOC-B? And coming back through the tunnel to the LOC-A firewall? Sounds like the forward path from LOC-A to to LOC-B is fine but the issue is on the return path (which can easily be screwed up by inappropriate NATing), so you'll need to run fw monitor (not tcpdump) on both ends to verify that VPN connectivity is fully working in both directions.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by ShadowPeak.com View Post
    Make sure the "disable NAT" checkbox is set in the VPN Community settings. Are you sure the reply traffic is really arriving back at the internal interface of LOC-B? And coming back through the tunnel to the LOC-A firewall? Sounds like the forward path from LOC-A to to LOC-B is fine but the issue is on the return path (which can easily be screwed up by inappropriate NATing), so you'll need to run fw monitor (not tcpdump) on both ends to verify that VPN connectivity is fully working in both directions.
    Nah nah...I can see the return traffic on LOC-B Internal interface however its not being observed on LOC-A. this is something really weird and NAT is off in community as well as I added NO NAT between the enc-domain.

    I spent 4 days without luck and funny thing is when policy push is going on and reaches 84% ping starts and as soon as it push is over ping stops. This definitely sounds to me a bug

  4. #4
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    I am giving a try by installing latest HFA probably that would solve?

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by blason View Post
    Nah nah...I can see the return traffic on LOC-B Internal interface however its not being observed on LOC-A. this is something really weird and NAT is off in community as well as I added NO NAT between the enc-domain.
    Er yes I got that, but is LOC-B actually putting it back into the tunnel? Just because the return traffic shows up at the interface of LOC-B (presumably in a tcpdump which puts the interface in promiscuous mode) does NOT mean the packet successfully made it back into the VPN tunnel. You need to use fw monitor.

    I spent 4 days without luck and funny thing is when policy push is going on and reaches 84% ping starts and as soon as it push is over ping stops. This definitely sounds to me a bug
    Hmm that sounds suspiciously like a SecureXL issue since SecureXL is off briefly during the atomic load on any gateway running R80.10 or earlier. Try disabling SecureXL by first executing "sim vpn off" and if the problem still persists do a "fwaccel off" but be warned that latter command may cause noticeable performance degradation on the larger firewall models.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    Hmm..thats a good lead let me try doing that.

    BTW what is exact parameter to check with fw monitor to verify if the traffic is again put back in tunnel?

  7. #7
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    nah ..its the same issue..

    I did turned off one by one..


    [Expert@xxx-CPFW-xxx:0]# sim vpn off
    VPN functionality will be disabled the next time acceleration is started/restarted
    [Expert@xxx-CPFW-xxx:0]# fwaccel off
    SecureXL device disabled.

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by blason View Post
    Hmm..thats a good lead let me try doing that.

    BTW what is exact parameter to check with fw monitor to verify if the traffic is again put back in tunnel?
    It would be something like this, assume that the VPN peer IP address is 129.82.102.32 and destination IP address on the original packet is 192.168.10.1:

    fw monitor -e "accept host(192.168.10.1) or host(129.82.102.32);"

    What you need to look for is the packet bound for 192.168.10.1 passing through iIo, then an ESP/IPSec packet leaving through O immediately after (as in microseconds later) the original packet went through o. Without doing a kernel debug it is difficult to link the original packet at o with the now-encrypted ESP/IPsec packet through O because all you can see is the outer header after encryption/tunneling.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  9. #9
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by ShadowPeak.com View Post
    It would be something like this, assume that the VPN peer IP address is 129.82.102.32 and destination IP address on the original packet is 192.168.10.1:

    fw monitor -e "accept host(192.168.10.1) or host(129.82.102.32);"

    What you need to look for is the packet bound for 192.168.10.1 passing through iIo, then an ESP/IPSec packet leaving through O immediately after (as in microseconds later) the original packet went through o. Without doing a kernel debug it is difficult to link the original packet at o with the now-encrypted ESP/IPsec packet through O because all you can see is the outer header after encryption/tunneling.
    Yes that is the issue however when I do sim vpn off then fwaccel off on LOCB then reset the vpn tunnel from LOCA through vpn tu..it starts

    What could be the cause?

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by blason View Post
    Yes that is the issue however when I do sim vpn off then fwaccel off on LOCB then reset the vpn tunnel from LOCA through vpn tu..it starts

    What could be the cause?
    Try this sequence of commands:

    sim vpn off
    fwaccel off;fwaccel on

    Reset the tunnel, does it still work? If it does that indicates some kind of issue specifically with acceleration of VPN traffic.

    Only if it still does not work after trying the above run this:

    fwaccel off

    If it works now that indicates a more general issue with SecureXL not necessarily related to the acceleration of VPN traffic. Once we know which situation you have we can proceed further. Either way, loading the latest GA Jumbo HFA for your firewall version is not a bad idea as there have been many fixes for SecureXL involving VPNs over the years.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  11. #11
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    This is again weird that worked for sometime when I did sim vpn off and fwaccel off then sim vpn on and fwaccel on .reset the tunnel through vpn tu.

    But never tried with sim vpn off function. This is really frustrating :(

  12. #12
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    Yep it was definitely an issue with sim and this is waht I have been doing it workd for almost 1 -1.5 hour after I do that and then breaks automatically. Not sure what to do?

  13. #13
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by blason View Post
    Yep it was definitely an issue with sim and this is waht I have been doing it workd for almost 1 -1.5 hour after I do that and then breaks automatically. Not sure what to do?
    As mentioned above load the latest GA jumbo hotfix for your version, almost certainly will fix it. If not you'll probably need to involve Check Point TAC.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  14. #14
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by ShadowPeak.com View Post
    As mentioned above load the latest GA jumbo hotfix for your version, almost certainly will fix it. If not you'll probably need to involve Check Point TAC.
    Already done with 302 but still an issue. Now escalated to TAC

  15. #15
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by blason View Post
    Already done with 302 but still an issue. Now escalated to TAC
    A "secret" way to force only the tunnels associated with a certain VPN Community to bypass all acceleration is to simply set the hashing algorithm to SHA-384 for both phases of IKE. The SHA-384 algorithm is not supported by SecureXL and will force all VPN traffic associated with that VPN Community to F2F. This trick works with both with R77.30 and R80.10 gateways, not sure about R80.20 yet. This was mentioned in one of the addendums to the first edition of my book as a performance-impacting warning, but you may be able to use it to your advantage in this case.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  16. #16
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Somehow Traffic is not passing through tunnel

    Quote Originally Posted by ShadowPeak.com View Post
    A "secret" way to force only the tunnels associated with a certain VPN Community to bypass all acceleration is to simply set the hashing algorithm to SHA-384 for both phases of IKE. The SHA-384 algorithm is not supported by SecureXL and will force all VPN traffic associated with that VPN Community to F2F. This trick works with both with R77.30 and R80.10 gateways, not sure about R80.20 yet. This was mentioned in one of the addendums to the first edition of my book as a performance-impacting warning, but you may be able to use it to your advantage in this case.
    Awesome man...you da man..let me try that :)

Similar Threads

  1. Cluster stopped passing traffic
    By DannyW in forum R77.30
    Replies: 11
    Last Post: 2017-05-20, 14:11
  2. Traffic seems to be not passing through on 9070 firewall
    By anbu013 in forum Check Point Power-1 Appliances
    Replies: 2
    Last Post: 2014-02-10, 15:43
  3. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  4. Not passing traffic
    By awalt1279 in forum Topology Issues
    Replies: 8
    Last Post: 2009-06-15, 16:51
  5. Need clarification on SA's : Tunnel up but traffic not passing
    By dreambuddy in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-09-15, 14:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •