The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Implied rules are not enforced on DAIP gateway after an IP address change or a reboot
Technical Level
Solution ID
sk165176
Technical Level
Product
IPSec VPN
Version
R80.10, R80.20, R80.30, R80.40
Date Created
13-Feb-2020
Last Modified
11-Nov-2020
Symptoms
Implied rules are not enforced on DAIP gateway after an IP address change, or a reboot.
VPN Kernel debugs will show the lines: fw_match_implied_rules: Match implied rules returned NO MATCH;
and vpn_inbound_tagging_ex: fw_match_implied_rules returned 0;
IKE (port 500) traffic will be dropped with the error: dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;
If DPD is configured, the following lines will be seen in the vpnd.elg debug from the DAIP side. fw_kbuf_get_multik(instance: 0): ioctl(FWKBUF): Bad address find_sa_by_ike_peer: Error fetching IKE SA from kbuf [tunnel] send_dpd_notification_IKEv1: no IKE phase1 SA [tunnel] send_dpd_notification_IKEv1: deleting outbound SAs for 3rd party gw
The issue is not relevant if the DAIP gateway is an SMB device.