The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
After ISP failover on LSV peer, gateway keeps using the old MSPI
| Solution ID |
sk108388 |
| Product |
Security Gateway |
| Version |
R77.30 |
| Date Created |
27-Oct-2015
|
| Last Modified |
08-Dec-2017
|
Symptoms
- When the LSV peer experiences the interface failover, it will eventually re-negotiate IKE MM with R77.30 gateway.
After the IKE negotiation completed, new connection passes through the tunnel, but old connections are still sent to the old IP address of the LSV peer.
- Kernel debug shows the drops:
[-- request_ipsec_sa: Renew (outbound) SA --];
[DATE TIME]...;add_to_MSPI_requests_table_ex: Entering keyid 0;
[DATE TIME]...;add_to_MSPI_requests_table_ex: Already have this connection;
[DATE TIME]...;request_ipsec_sa: Trap is on the way. not trapping;
[DATE TIME]...;VPN-1: vpn_encrypt_chain: encryption failure, dropping packet;
[DATE TIME]...;fw_log_drop_ex: Packet proto=1 192.x.x.x:0 -> 10.x.x.x:16397 dropped by vpn_encrypt_chain Reason: No error;
Solution
|
Note: To view this solution you need to
Sign In
.
|
