The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
"According to the policy the traffic should not have been decrypted" drop log for traffic from VPN peers after upgrade of Security Gateway to R77.30
|
Technical Level
|
Solution ID |
sk108427 |
Technical Level |
|
Product |
IPSec VPN, SmartProvisioning |
Version |
R77 (EOL), R77.20, R77.30 (EOL) |
Platform / Model |
All |
Date Created |
28-Oct-2015
|
Last Modified |
10-Apr-2020
|
Symptoms
SmartView Tracker shows that traffic from VPN peers managed via SmartProvisioning (e.g., Edge devices) is dropped by Security Gateway after upgrade of Security Gateway to R77.30:
Action = Drop
VPN Peer Gateway = 0.0.X.X
Subproduct = VPN
VPN Feature = VPN
Information = encryption failure: According to the policy the traffic should not have been decrypted
Kernel debug ('fw ctl debug -m VPN + tagging
') on R77.30 Security Gateway shows:
;vpn_inbound_tagging_ex: BEFORE considering comm-based domains, client location: 'Internet', server location: 'My encdom';
;vpn_inbound_tagging_ex: AFTER considering comm-based domains, client location: 'Internet', server location: 'My encdom', sr_2_othergw=0;
;vpn_inbound_tagging_ex: incoming packet from : <VPN_PEER_EXT_IP_ADDRESS> to : <GW_EXT_IP_ADDRESS> decrypted client location : Internet server location My encdom client_ifs_grp : 0 server_ifs_grp : 0 ;
;check_tagging: both c and s locations is in MY_ENCDOM|INTERNET => returning TAGGING_DONT_ENCRYPT;
;vpn_inbound_tagging_ex: Packet was decrypted, but policy says connection should be clear-text.;
Solution
|
Note: To view this solution you need to
Sign In
.
|