Implied rules are not enforced on DAIP gateway after an IP address change or a reboot
||R80.10, R80.20, R80.30, R80.40
- Implied rules are not enforced on DAIP gateway after an IP address change, or a reboot.
- VPN Kernel debugs will show the lines:
fw_match_implied_rules: Match implied rules returned NO MATCH;
vpn_inbound_tagging_ex: fw_match_implied_rules returned 0;
- IKE (port 500) traffic will be dropped with the error:
dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;
- If DPD is configured, the following lines will be seen in the vpnd.elg debug from the DAIP side.
fw_kbuf_get_multik(instance: 0): ioctl(FWKBUF): Bad address
find_sa_by_ike_peer: Error fetching IKE SA from kbuf
[tunnel] send_dpd_notification_IKEv1: no IKE phase1 SA
[tunnel] send_dpd_notification_IKEv1: deleting outbound SAs for 3rd party gw
- The issue is not relevant if the DAIP gateway is an SMB device.
Note: To view this solution you need to