Support Center > Search Results > SecureKnowledge Details
Troubleshooting Overlapping Encryption Domains Issues Technical Level
Solution

Table of Contents

  • Overlapping Encryption Domains

  • Various Scenarios

    • Scenario 1: "The gateways XXX and YYY have partial overlapping encryption domains" error during Policy Verification

    • Scenario 2: 'vpn overlap_encdom traditional -s' command hangs on Check Point installation with huge database of objects

    • Scenario 3: 'encryption failure: Wrong peer gateway for decrypted' log in SmartView Tracker

    • Scenario 4: VPN traffic is sent out in clear when traffic matches community criteria

    • Scenario 5: Partially overlapping encryption domain error on Policy install

    • Scenario 6: When configuring a Traditional Mode policy, the Allowed Peer Gateway setting is ignored

    • Scenario 7: Error: "There are at least two firewalls with partially overlapping encryption domains"

    • Scenario 8: SecureClient fails to create site: 'Error: Site has at least two gateways with a partially overlapping encryption domain'

    • Scenario 9: VPN client fails to set up a site to ClusterXL in MEP topology with error 'There are at least two firewalls with partially overlapping encryption domains'

    • Scenario 10: Remote Access users cannot connect to site after upgrading the Management Server to R76

  • Related documentation

 

Click Here to Show the Entire Article

 

Overlapping Encryption Domains

There are three basic types of overlapping VPN Domains:

 

Various Scenarios

There are quite a number of scenarios, in which you may encounter "Overlapping Encryption Domains" issues. The scenarios that we have encountered and dealt with are detailed below.

Scenario 1: "The gateways XXX and YYY have partial overlapping encryption domains" error during Policy Verification

Product: IPSec VPN, SmartDashboard, Security Management, Multi-Domain Management / Provider-1

Symptoms:

Error during Policy Verification:

The gateways <Name_of_Gateway_1> and <Name_of_Gateway_2> have partial overlapping encryption domains.
Therefore, Endpoint Connect users will not support  MEP configuration
SecureRemote/SecureClient users will not be able to create site.
If any of the GWs should not be exported to SR/SC, please
remove it from the RemoteAccess community or uncheck the exportable for SR box.
The overlapping domain include :
x.x.x.x - x.x.x.x
The exclusive domain of <Name_of_Gateway_1> include:
y.y.y.y - y.y.y.y
The exclusive domain of <Name_of_Gateway_2> include:
z.z.z.z - z.z.z.z
Show / Hide this section

Cause:

There is "partial overlapping encryption domain" between two or more Security Gateways that are included inside the Remote Access community.

Solution:

Starting in R76, SmartDashboard alerts about an unsupported configuration - "partial overlapping encryption domain" between two or more Security Gateways inside the Remote Access community.

This error message does not indicate any issue and it does not fail the policy installation.

When Remote Access clients connect to a Security Gateway, they download the topology of all Security Gateways in the Remote Access community.

The clients need to know what is the Remote Access encryption domain of each Security Gateway for the MEP and Secondary Connect features - in what encryption domain each internal resource is located, in order to establish a tunnel with the relevant Security Gateway dynamically and transparently to the user.

Officially, MEP is only supported when the Security Gateways have completely overlapping Remote Access encryption domains, and Secondary Connect is only supported when the Security Gateways have completely separate Remote Access encryption domains, with no overlap at all.

When there are "partially overlapping encryption" domains, the configuration does not fully fit the MEP, and also the Secondary Connect Encryption domain requirements. Therefore, this warning message pops-up in order to warn the administrator that it might affect the use of these features.

To prevent this error message and not to affect the MEP and Secondary Connect features, avoid configuring partial encryption domains inside the Remote Access community.

 

Scenario 2: 'vpn overlap_encdom traditional -s' command hangs on Check Point installation with huge database of objects

Product: IPSec VPN, CPInfo

Symptoms:

  • 'vpn overlap_encdom traditional -s' command hangs on Check Point installation with huge database of objects. It might take more than an hour for this command to complete.

  • CPinfo utility crashes when collecting CPinfo file.

    CPinfo file ends with this section :
    ==============================================
    Overlapping Encryption Domains
    ==============================================
Show / Hide this section

Cause:

In order for the 'vpn overlap_encdom traditional -s' command to produce an output, it must go over all objects and check specific attributes. If the database contain many objects, this process physically takes a very long time, which might cause unexpected behavior.

Solution:

Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.

 

Scenario 3: 'encryption failure: Wrong peer gateway for decrypted' log in SmartView Tracker

Product: IPSec VPN

Symptoms:

  • No traffic passing through VPN tunnel.
  • "encryption failure: Wrong peer gateway for decrypted" log in SmartView Tracker.
  • "encryption failure: Wrong peer gateway for decrypted" drop in kernel debug (fw ctl debug -m fw + drop).
Show / Hide this section

Cause:

Two or more VPN tunnels with overlapping encryption domains are accessing the same host(s). The VPN Gateway flags the packet as VPN, but is unable to decide, to which tunnel to send the VPN traffic because the source and destination criteria would match to more than one tunnel.

Solution:

Follow these steps:

  1. Check for overlapping encryption domains on Security Gateway:

    [Expert@HostName]# vpn overlap_encdom communities -s

    This command will display the VPN communities and the corresponding encryption domains. It will also specify any overlap.

  2. Check VPN rules to verify whether source and destination would cause conflicts.

  3. Correct any overlaps.

  4. Install the policy after any changes in SmartDashboard.

 

Scenario 4: VPN traffic is sent out in clear when traffic matches community criteria

Product: IPSec VPN

Symptoms:

  • VPN traffic is being sent in clear, when source, destination and community settings all match the community criteria.
  • Kernel debug shows that the local gateway chooses to not encrypt this traffic:
    get_tunnel_params: Failed to find the address 0a330016 in routing table.;
    get_tunnel_params: Found entry with gateway cb19e601 in routing table.;
Show / Hide this section

Cause:

Duplicate objects with the same main IP address, will cause the duplicate object to match for the Peer's encryption domain.

The gateway will build the community based on the duplicate object and not the peer gateway object due to matching main IP addresses.

Solution:

  1. Run the fwm -d gen <policyname.W> >& policy_gen_debug.txt & command
  2. Look for the local gateway and peer's main IP addresses and ensure that there are no duplicate objects using that IP address.
  3. If any are found, remove or re-address the objects as necessary.
  4. Run the fwm -d gen command to ensure there are no overlapping encryption domains.

 

Scenario 5: Partially overlapping encryption domain error on Policy install

Product: SecureClient, Endpoint Connect, Edge, IPSec VPN, Security Management))

Symptoms:

  • When installing policy in SmartConsole / SmartDashboard, or updating topology on SecureClient, an error appears stating that there is a partially overlapping encryption domain:
    "Site x.x.x.x has at least two gateways with a partially overlapping encryption domain"
Show / Hide this section

Cause:

When using Simplified Configuration for SecureClient VPN, partially overlapping encryption domains are not supported.

Notes:

  • Fully overlapping encryption domains are supported, and considered as MEP.
  • For Site to Site VPN, partially overlapping encryption domains are supported.

Solution:

When a partially overlapping encryption domain error is displayed, the user can check what the partially overlapping domains are, as follows:

For Site to Site VPN:

On the CLI of the SmartCenter (Security Management) server, run: vpn overlap_encdom

For SecureClient VPN:

When SecureClient users are trying to download topology, and the partially overlapping encryption domain error is displayed, the user can check a text file that is generated via SmartDashboard:

    1. In SmartDashboard, from the Policy menu select View Policy of > select the Security Gateway object > click OK.
      Note - In R65.4 and above:
      1. From the Policy menu select View Policy of
      2. Select the Security Gateway object
      3. Click Add
      4. Click Apply
    2. The policy file appears.
      Note - If the file does not appear, examine the $FWDIR/conf/<Policy Name>.pf file on the Management Server.
      The policy name should be specified, as it appears in SmartDashboard.
    3. Copy the text using a text editor.
    4. Search for this line:
      VPN-1 tables
    5. Beneath this line, the name of the Security Gateway objects and their valid SecureClient encryption domains appear.
    6. Compare the different encryption domains of each Security Gateway and find the overlapping objects.
    7. Reconfigure the objects so that the domains no longer partially overlap.
    8. In SmartDashboard, install the policy on each Security Gateway.

 

Scenario 6: When configuring a Traditional Mode policy, the Allowed Peer Gateway setting is ignored

Product: IPSec VPN

Symptoms:

  • When configuring a Traditional Mode policy, where two or more peer Security Gateways have overlapping encryption domains, the "Allowed Peer Gateway" setting, beneath the Encrypt Action Properties in a rule is ignored, and instead, MEP resolution still occurs.
  • The VPN-1 Security Gateway will still try to use RDP to probe the peer Security Gateway, instead of just sending VPN packets to the peer specified in the "Allowed Peer Gateway" setting.
Show / Hide this section

Solution:

Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix

 

Scenario 7: Error: "There are at least two firewalls with partially overlapping encryption domains"

Product: SecureClient, IPSec VPN

Symptoms:

  • Error indicating overlapping encryption domains is seen on SecuRemote.
Show / Hide this section

Cause:

When using Simplified Configuration for SecureClient VPN, partially overlapping encryption domains are not supported.

Solution:

Add both Security Gateways to the VPN/encryption domain.

For detailed procedure, refer to:

Important: There are cases, in which a subnet in the VPN domain of one Security Gateway network object is overlapping with the internal interface IP address of another Security Gateway network object. (Both Security Gateways are managed by the same SmartCenter (Security Management) server or CMA.) Refer to sk32252: SecureClient is unable to download site from the designated VPN-1 Gateway.

Related Solution(s):

 

Scenario 8: SecureClient fails to create site: 'Error: Site has at least two gateways with a partially overlapping encryption domain'

Product: SecureClient

Symptoms:

  • SecureClient fails to create a VPN site with the error "Site has at least two gateways with a partially overlapping encryption domain".
  • There is only one Security Gateway in the Remote Access VPN community.
Show / Hide this section

Cause:

There is at least another Security Gateway that is not in the Remote Access VPN community and is managed by the same management server, has its information exportable to SecuRemote/SecureClient and its VPN domain is partially overlapping.

Solution:

Disable the 'Exportable for SecuRemote/SecureClient' flag on the Security Gateways that do not participate in the RemoteAccess community.

In SmartDashboard:

    1. Edit the relevant Check Point Gateway from the Network Objects tree: 'Right-click > Edit'.
    2. In the Check Point Gateway dialog box, select "IPSec VPN" from the left pane.
    3. In the VPN page, click on the "Traditional mode configuration" button.
    4. In the 'Traditional mode IKE properties' dialog box, uncheck the 'Exportable for SecuRemote/SecureClient' check box.
    5. Click "OK" in the 'Traditional mode IKE properties' dialog box.
    6. Click "OK" in the Check Point Gateway dialog box.
    7. Click "Close" in the Network Objects dialog box.
    8. Install the security policy on the VPN-1 Gateways.
    9. In SecureClient, create the required VPN site.

 

Scenario 9: VPN client fails to set up a site to ClusterXL in MEP topology with error 'There are at least two firewalls with partially overlapping encryption domains'

Product: ClusterXL, Endpoint Connect, SecureClient

Symptoms:

  • Attempt to set up a site to ClusterXL in MEP topology with SecureClient results in error message:
    'There are at least two firewalls with partially overlapping encryption domains'
Show / Hide this section

Solution:

Add objects of all cluster members (and not the cluster object) to the encryption domain of Remote Access.

 

Scenario 10: Remote Access users cannot connect to site after upgrading the Management Server to R76

Product: Endpoint Security VPN, Security Management

Symptoms:

  • Endpoint clients are unable to connect to a site, usually with the error message "Failed to download topology" on the client.
  • R60 clients fail to update site or create a new site, with the error of overlapping encryption domains.
Show / Hide this section

Cause:

In R76, when Mobile Access is enabled, it automatically adds the gateway to the Remote Access VPN community (this is done to allow Mobile VPN clients to work without having to enable the IPSec blade). This may cause the MEP and secondary-connect to include unwanted gateways, as they are part of Remote Access community and cannot be removed.

Solution:

SmartDashboard should allow to remove the Mobile Access-enabled gateways from the Remote Access community.

Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.

 

Applies To:
  • The following solutions were merged into sk106837:
    sk101986, sk68380, sk92612, sk105877, sk34901, sk36052, sk7951, sk54920, sk70501, sk92715

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment