The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
|
Randomly, VPN traffic dropped on clean-up rule, when legacy groups are used in Unified Policy
|
Technical Level
|
| Solution ID |
sk167432 |
| Technical Level |
|
| Product |
IPSec VPN |
| Version |
R80.10, R80.20, R80.30, R80.40 |
| OS |
Gaia |
| Platform / Model |
All |
| Date Created |
15-Jun-2020
|
| Last Modified |
10-Nov-2020
|
Symptoms
- Randomly, VPN traffic is dropped on clean-up rule, when legacy groups are used in Unified Policy.
- The issue appears after an upgrade to R80.X, when more than 2000 legacy groups are used in Unified Policy.
LDAP group objects added to the rule base by right clicking the source column and clicking on "Add Legacy User Access"
- Debugging the VPND process *during policy installation* as instructed in sk89940 will show the following error:
[vpnd 19529 4101724048]@R8010_GW[8 Jun 8:08:42][ucache] create_interesting_groups: There are 2213 User@Location objects
...
[vpnd 19529 4101724048]@R8010_GW_[8 Jun 8:08:42][ucache] Add_to_relevant_UGVG: too many entries already (max is 2000)
[vpnd 19529 4101724048]@R8010_GW_[8 Jun 8:08:42][ucache] create_interesting_groups: ERROR: failed adding. Stopping the process
- Cloning the problematic rule and disabling the original rule may resolve the issue, but this may also break enforcement for other rules.
Cause
The system exceeded the limit of 2000 legacy groups that can be used in Unified Policy.
Solution
|
Note: To view this solution you need to
Sign In
.
|
