The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment
Technical Level
Solution ID
sk154692
Technical Level
Product
IPSec VPN, VSX
Version
R80.20, R80.30
OS
Gaia
Date Created
07-Jun-2019
Last Modified
24-Feb-2020
Symptoms
VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment.
When fwaccel and vpn accel off, ESP packets are being sent over a vpn tunnel are being sent to a destination that has a broadcast mac address.
In Kernel debug (fw ctl debug -m VPN + policy; fw ctl debug -m fw + route drop) similiar errors can be seen:
[vpnd] @Hostname[DATE TIME][tunnel] RIM_OS_Worker_handler: RIM Worker thread received 2 new routes to process from vpnd
[vpnd] @Hostname[DATE TIME][tunnel] rm_route_execute: Error adding route 123.123.123.123/255.255.255.255->0.0.0.0. cprti reason: OS API returned error
[vpnd] @Hostname[DATE TIME][tunnel] rm_route_execute: Error adding route 21.21.21.0/255.255.255.0->0.0.0.0. cprti reason: OS API returned error