CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Received a cleartext packet within an encrypted connection

  1. #1
    Join Date
    2017-09-10
    Posts
    39
    Rep Power
    0

    Default Received a cleartext packet within an encrypted connection

    All

    I have an L2L VPN tunnel with a Vendor. The vendor has a Cisco Firewall on their end and I am running a Checkpoint VSX GAIA R77.30. The tunnel is working fine, I recently added an inbound traffic flow from Vendor to me. This New traffuc flow includes three Hosts that Vendor targets. For one first everything is fine but for the other two hosts, I am seeing decrypts on my end but at the same time I am also seeing the drops with error "Received a cleartext packet within an encrypted connection". Even after this, the tunnel is working finefor all other traffic flows, I am seeing this error for these two hosts only and I dont understand why.


    Any help would be much appreciated.

    --Ravi

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,242
    Rep Power
    13

    Default Re: Received a cleartext packet within an encrypted connection

    Quote Originally Posted by ravindra692 View Post
    All

    I have an L2L VPN tunnel with a Vendor. The vendor has a Cisco Firewall on their end and I am running a Checkpoint VSX GAIA R77.30. The tunnel is working fine, I recently added an inbound traffic flow from Vendor to me. This New traffuc flow includes three Hosts that Vendor targets. For one first everything is fine but for the other two hosts, I am seeing decrypts on my end but at the same time I am also seeing the drops with error "Received a cleartext packet within an encrypted connection". Even after this, the tunnel is working finefor all other traffic flows, I am seeing this error for these two hosts only and I dont understand why.


    Any help would be much appreciated.

    --Ravi
    Most likely the destination IP address for those two servers they are failing to reach are not part of your own firewall's defined VPN domain. Or the source IP address they are using to initiate the connections to those two servers are not part of the VPN domain of the peer object representing their Cisco; it is also possible that they are incorrectly NATing the problematic traffic on their end to an address your firewall is not expecting before encrypting it into the tunnel.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    289
    Rep Power
    12

    Default Re: Received a cleartext packet within an encrypted connection

    Quote Originally Posted by ShadowPeak.com View Post
    Most likely the destination IP address for those two servers they are failing to reach are not part of your own firewall's defined VPN domain. Or the source IP address they are using to initiate the connections to those two servers are not part of the VPN domain of the peer object representing their Cisco; it is also possible that they are incorrectly NATing the problematic traffic on their end to an address your firewall is not expecting before encrypting it into the tunnel.
    Other way around. "Received a cleartext packet within an encrypted connection" means the Check Point side is expecting it to be encrypted, but the Cisco side isn't encrypting it. Either the encryption domains are too large or the Cisco-side crypto map is too small.

    I occasionally post an explanation of the common drop messages related to VPN domains.
    Zimmie

  4. #4
    Join Date
    2017-04-26
    Posts
    19
    Rep Power
    0

    Default Re: Received a cleartext packet within an encrypted connection

    Almost 100% certain this is due to receiving a packet the firewall has already decrypted a second time. Does someone down stream from the firewall have appropriate routing for the two hosts that don't work. Can you capture it and see?

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,242
    Rep Power
    13

    Default Re: Received a cleartext packet within an encrypted connection

    Quote Originally Posted by Bob_Zimmerman View Post
    Other way around. "Received a cleartext packet within an encrypted connection" means the Check Point side is expecting it to be encrypted, but the Cisco side isn't encrypting it. Either the encryption domains are too large or the Cisco-side crypto map is too small.

    I occasionally post an explanation of the common drop messages related to VPN domains.
    Ah yes, the situation I described was "According to the policy, the packet should not have been decrypted". Nice catch.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    289
    Rep Power
    12

    Default Re: Received a cleartext packet within an encrypted connection

    Quote Originally Posted by themadhatterz View Post
    Almost 100% certain this is due to receiving a packet the firewall has already decrypted a second time. Does someone down stream from the firewall have appropriate routing for the two hosts that don't work. Can you capture it and see?
    This is also a possibility since the VPN decision happens so early in packet processing. Specifically, it would happen if the packet is encrypted on the Cisco side, decrypted by the Check Point side, routed to another device (we're good so far), then routed back to the Check Point device. That is, a routing loop after the decryption. The Check Point box will see that the source is in a peer's encryption domain and the destination is in its own encryption domain, so the packet should have been encrypted.

    While in the TAC, I didn't see this as often as I saw simple encryption domain mismatch.

    Quote Originally Posted by ShadowPeak.com View Post
    Ah yes, the situation I described was "According to the policy, the packet should not have been decrypted". Nice catch.
    Yeah, those two are probably the most specific, but least intuitively obvious errors in the product.
    Zimmie

Similar Threads

  1. encryption fail reason: Received a cleartext packet within an encrypted connection
    By 013rgk in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2016-03-04, 12:42
  2. EDGE log "Packet should be encrypted" on a non VPN connection
    By Morphus in forum Check Point UTM-1 Edge Appliances
    Replies: 4
    Last Post: 2012-06-18, 13:57
  3. EDGE log "Packet should be encrypted" on a non VPN connection
    By Morphus in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2011-11-14, 20:27
  4. Panic When SecureXL and NAT Are Used and a Malformed Packet Is Received
    By PhoneBoy in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 5
    Last Post: 2010-04-20, 03:11
  5. received HAP packet with bad magic number fb58
    By masif in forum Miscellaneous
    Replies: 0
    Last Post: 2007-04-05, 09:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •