The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
|
"Invalid ID information" log in SmartView Tracker when Security Gateway initiates Quick Mode to 3rd party gateway
|
Technical Level
|
| Solution ID |
sk115455 |
| Technical Level |
|
| Product |
IPSec VPN |
| Version |
R77.20 (EOL), R77.30 (EOL) |
| OS |
Gaia |
| Date Created |
12-Jan-2017
|
| Last Modified |
30-Jul-2017
|
Symptoms
- "Invalid ID information" log in SmartView Tracker when Security Gateway initiates a Quick Mode to 3rd party gateway.
- "No valid SA" logs in SmartView Tracker when creating IPsec VPN tunnel with an interoperable device.
- Output of command fw ctl zdebug drop shows: "dropped by vpn_encrypt_chain Reason: No error"
- VPN tunnel can be initiated from 3rd party side to the Check Point Security Gateway side, but not from Check Point side to 3rd party side.
Cause
- During IKE Quick Mode negotiation, the IP addresses that define the VPN tunnel (also known as IPSec IDs, or traffic selectors) are negotiated. The IP addresses can be a set of discrete IP addresses, or a subnet.
When negotiating a VPN tunnel between a Check Point Security Gateway and certain 3rd-party devices, IKE Quick Mode may fail, if the subnets are defined differently on each end of the VPN tunnel. One reason is that Check Point Security Gateway dynamically supernets subnets to reduce the amount of SA overhead.
- The "supernetting" feature enables to adjoin smaller sub-nets to a bigger one ("supernets"). This feature makes it possible to decrease the number of IPsec SAs that are created per sub-net. This feature has a problem of connectivity with third party devices. Those devices do not support "supernetting", and as a result a "no valid SA" error can occur.
- The IPsec VPN Community must be configured with "One VPN tunnel per subnet pair".
Solution
|
Note: To view this solution you need to
Sign In
.
|
