The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
After ISP failover on LSV (Large Scale VPN) peer, gateway keeps using the old MSPI
|
Technical Level
|
Solution ID |
sk108388 |
Technical Level |
|
Product |
Quantum Security Gateways |
Version |
R77.30 (EOL), R80.10 (EOL), R80.20, R80.30, R80.40 |
Date Created |
27-Oct-2015
|
Last Modified |
15-Oct-2020
|
Symptoms
- When the LSV peer experiences the interface failover, it will eventually re-negotiate IKE Main Mode with peer Gateway.
After the IKE negotiation completed, new connection passes through the tunnel, but old connections are still sent to the old IP address of the LSV peer.
- Kernel debug shows the drops:
[-- request_ipsec_sa: Renew (outbound) SA --];
[DATE TIME]...;add_to_MSPI_requests_table_ex: Entering keyid 0;
[DATE TIME]...;add_to_MSPI_requests_table_ex: Already have this connection;
[DATE TIME]...;request_ipsec_sa: Trap is on the way. not trapping;
[DATE TIME]...;VPN-1: vpn_encrypt_chain: encryption failure, dropping packet;
[DATE TIME]...;fw_log_drop_ex: Packet proto=1 192.x.x.x:0 -> 10.x.x.x:16397 dropped by vpn_encrypt_chain Reason: No error;
Solution
|
Note: To view this solution you need to
Sign In
.
|