Support Center > Search Results > SecureKnowledge Details
Traffic is not working over Site-to-Site VPN after an upgrade to R80.20/R80.30 when SecureXL is enabled
Symptoms
  • After an upgrade to R80.20, traffic is not working on Site-to-Site VPN when SecureXL is enabled.
  • Kernel debug (fw ctl zdebug + drop) shows the following:
    [cpu_0];[SIM-206171040];do_inbound: VPN verify returned DROP - > dropping packet, conn: < 1.1.1.1,3389,2.2.2.2,64311,6 >;
    [cpu_0];[SIM-206171040];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:< 1.1.1.1,3389,2.2.2.2,64311,6 >;
    [cpu_0];[SIM-206171040];do_inbound: VPN verify returned DROP - > dropping packet, conn: < 1.1.1.1,3389,2.2.2.2,64311,6 >;
    [cpu_0];[SIM-206171040];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:< 1.1.1.1,3389,2.2.2.2,64311,6 >;
Cause

The 3rd party peer is encrypting the packet using the wrong IPSEC SA. Although it is using a valid SA, it does not match the actual packet it is encrypting (the tunnel IDs don't match), and it is dropped by SecureXL.


Solution
Note: To view this solution you need to Sign In .