The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
|
"According to the policy the traffic should not have been decrypted" drop log for traffic from VPN peers after upgrade of Security Gateway to R77.30
|
Technical Level
|
| Solution ID |
sk108427 |
| Technical Level |
|
| Product |
IPSec VPN, SmartProvisioning |
| Version |
R77 (EOL), R77.20, R77.30 (EOL) |
| Platform / Model |
All |
| Date Created |
28-Oct-2015
|
| Last Modified |
10-Apr-2020
|
Symptoms
SmartView Tracker shows that traffic from VPN peers managed via SmartProvisioning (e.g., Edge devices) is dropped by Security Gateway after upgrade of Security Gateway to R77.30:
Action = Drop
VPN Peer Gateway = 0.0.X.X
Subproduct = VPN
VPN Feature = VPN
Information = encryption failure: According to the policy the traffic should not have been decrypted
Kernel debug ('fw ctl debug -m VPN + tagging') on R77.30 Security Gateway shows:
;vpn_inbound_tagging_ex: BEFORE considering comm-based domains, client location: 'Internet', server location: 'My encdom';
;vpn_inbound_tagging_ex: AFTER considering comm-based domains, client location: 'Internet', server location: 'My encdom', sr_2_othergw=0;
;vpn_inbound_tagging_ex: incoming packet from : <VPN_PEER_EXT_IP_ADDRESS> to : <GW_EXT_IP_ADDRESS> decrypted client location : Internet server location My encdom client_ifs_grp : 0 server_ifs_grp : 0 ;
;check_tagging: both c and s locations is in MY_ENCDOM|INTERNET => returning TAGGING_DONT_ENCRYPT;
;vpn_inbound_tagging_ex: Packet was decrypted, but policy says connection should be clear-text.;
Solution
|
Note: To view this solution you need to
Sign In
.
|
