Support Center > Search Results > SecureKnowledge Details
Implied rules are not enforced on DAIP gateway after an IP address change or a reboot Technical Level
Symptoms
  • Implied rules are not enforced on DAIP gateway after an IP address change, or a reboot.
  • VPN Kernel debugs will show the lines:
    fw_match_implied_rules: Match implied rules returned NO MATCH;
    and
    vpn_inbound_tagging_ex: fw_match_implied_rules returned 0;
  • IKE (port 500) traffic will be dropped with the error:
    dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;
  • If DPD is configured, the following lines will be seen in the vpnd.elg debug from the DAIP side.
    fw_kbuf_get_multik(instance: 0): ioctl(FWKBUF): Bad address
    find_sa_by_ike_peer: Error fetching IKE SA from kbuf
    [tunnel] send_dpd_notification_IKEv1: no IKE phase1 SA
    [tunnel] send_dpd_notification_IKEv1: deleting outbound SAs for 3rd party gw
  • The issue is not relevant if the DAIP gateway is an SMB device.
Solution
Note: To view this solution you need to Sign In .