CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 2 of 2

Thread: Strange block for VPN traffic

  1. #1
    Join Date
    Rep Power

    Default Strange block for VPN traffic


    I have attached a couple screen shots to this post. I have a host on my network ( that sends udp-domain traffic through a IPSEC VPN. The DNS server on the other end of the VPN is Starting yesterday udp-domain traffic from my host to the other sides DNS server started being blocked by my Check Point security gateway.

    What is odd is the log shows rule 101 drops the traffic when rule 101 explicitly permits udp-domain traffic to the destination.

    The information in the SmartView Tracker includes "encryption fail reson: Packet is dropped because there is no valid SA - please refer to solution sk19423."

    What is odd is I have several other hosts on my network that traverse this ISPEC VPN so in theory the IPSEC tunnel in up and healthy.

    If the DNS server on the far end of the of the VPN is actually down, would Check Point know and show a blocked message like this?Click image for larger version. 

Name:	mound atm dns 11-5-18.jpg 
Views:	31 
Size:	144.0 KB 
ID:	1414
    Click image for larger version. 

Name:	rule 101.jpg 
Views:	35 
Size:	12.6 KB 
ID:	1415

  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: Strange block for VPN traffic

    "Packet is dropped because there is no valid SA" always means a VPN negotiation has failed. If other things on your end are able to talk to other things on the peer's end, that points to a phase 2 failure.

    The negotiation failures should leave other log messages around the same time referencing the VPN community name and the peer gateway. If you have trouble finding or interpreting them, I would run an IKE debug (sk30994), try to send the traffic, then collect the ike.elg file and open it in IKEView (linked in the same article).

    Edited to add: By the way, SmartView Tracker is awful. Is there a particular reason you're using it instead of SmartLog? I'm pretty sure any SmartCenter version new enough to have the hit count in the rulebase is new enough for SmartLog.
    Last edited by Bob_Zimmerman; 2018-11-06 at 17:58.

Similar Threads

  1. Best possible way to monitor AS2 traffic and block rogue Traffic
    By Druva in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2016-01-04, 02:48
  2. Replies: 3
    Last Post: 2011-09-29, 04:23
  3. Which Rule would block this traffic?
    By scucci in forum SmartView Tracker
    Replies: 1
    Last Post: 2008-11-07, 18:17
  4. Block traffic forwarded to another proxy
    By Andronitus in forum Miscellaneous
    Replies: 2
    Last Post: 2008-04-14, 04:08
  5. Block HTTPS traffic for particular group
    By sridharraj80 in forum Check Point SecurePlatform (SPLAT)
    Replies: 5
    Last Post: 2007-02-13, 05:06


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts