The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
VPN traffic dropped with "dropped by vpn_ipsec_decrypt Reason: decryption failure: tunnel is accelerated but packet was not decrypted by SecureXL"
Technical Level
Solution ID
sk165998
Technical Level
Product
IPSec VPN
Version
R80.20, R80.30, R80.40
OS
Gaia
Platform / Model
All
Date Created
03-Apr-2020
Last Modified
12-Nov-2020
Symptoms
Tunnel is up, but site-to-site VPN traffic is dropped with "dropped by vpn_ipsec_decrypt Reason: decryption failure: tunnel is accelerated but packet was not decrypted by SecureXL;"
Turning off VPN acceleration with "vpn accel off" resolves the issue.
Output of "ip route get" of the destination address is using a link, on which the VPN is not terminated.
reply_from_same_IP is set to "true"
SecureXL kernel debug for interesting VPN traffic shows "localip error" print:
[cpu_0];[SIM-206960861];vpn_decrypt: connection localip error;
[cpu_0];[SIM-206960861];sim_db_get_any_conn: conn not found (vsid 0), ret -1;
External interface has an alias IP, and the relevant external IP is defined as alias IP.
Cause
Different interface for processing the VPN traffic than where the VPN is terminated.
