Support Center > Search Results > SecureKnowledge Details
"According to the policy the traffic should not have been decrypted" drop log for traffic from VPN peers after upgrade of Security Gateway to R77.30
Symptoms
  • SmartView Tracker shows that traffic from VPN peers managed via SmartProvisioning (e.g., Edge devices) is dropped by Security Gateway after upgrade of Security Gateway to R77.30:

    Action = Drop
    VPN Peer Gateway = 0.0.X.X
    Subproduct = VPN
    VPN Feature = VPN
    Information = encryption failure: According to the policy the traffic should not have been decrypted
  • Kernel debug ('fw ctl debug -m VPN + tagging') on R77.30 Security Gateway shows:

    ;vpn_inbound_tagging_ex: BEFORE considering comm-based domains, client location: 'Internet', server location: 'My encdom';
    ;vpn_inbound_tagging_ex: AFTER considering comm-based domains, client location: 'Internet', server location: 'My encdom', sr_2_othergw=0;
    ;vpn_inbound_tagging_ex: incoming packet from : <VPN_PEER_EXT_IP_ADDRESS> to : <GW_EXT_IP_ADDRESS> decrypted client location : Internet server location My encdom client_ifs_grp : 0 server_ifs_grp : 0 ;
    ;check_tagging: both c and s locations is in MY_ENCDOM|INTERNET => returning TAGGING_DONT_ENCRYPT;
    ;vpn_inbound_tagging_ex: Packet was decrypted, but policy says connection should be clear-text.;
Solution
Note: To view this solution you need to Sign In .