Support Center > Search Results > SecureKnowledge Details
IPSec VPN NAT-T traffic is sent to the MAC address of wrong next hop or old IP Technical Level
Symptoms
  • IPSec VPN NAT-T traffic is sent to the MAC address of wrong next hop or old IP addrees.
  • Site 2 Site VPN is established with a DAIP VPN peer using NAT-T.
  • Clearing the 'orig_route_params' on all cluster members with: # fw tab -t orig_route_params -x -y
    resolve the issue until the NAT device IP changes again.
Cause

The valid IP Address of the NAT device was changed to a new IP but still encrypted with the old SPI's associated with the previous IP before it was changed.

As a result, the reply packet from the Check Point Security Gateway is sent to the old "known" IP.

The entries contained in orig_route_params table are not taken from the ARP table or the source, but from the MAC address that appears on the packet that the Security Gateway got from the peer. Accordingly, it contains the real MAC address and not the VMAC as in the ARP table.

The entry in the orig_route_params table is not updated when only the next hop MAC is changed.


Solution
Note: To view this solution you need to Sign In .