The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Traffic does not pass over VPN tunnel after upgrade of Security Gateway to R76 or R77
Platform / Model
After upgrade of Security Gateway to R76 or R77, traffic does not pass over VPN tunnel - tunnel is established correctly, however traffic over the VPN tunnel is dropped when the IPSec VPN 'Link Selection' is configured on Security Gateway or one of the VPN peers to 'Use probing. Link redundancy mode:' (either 'High Availability', or 'Load Sharing').
Setting the IPSec VPN 'Link Selection' on the Security Gateway from 'Use probing. Link redundancy mode:' to 'Always use this IP address:' and installing policy resolves the issue - traffic passes over VPN tunnel.
Kernel debug on Security Gateway ('fw ctl debug -m fw + drop') shows the following drops:
;fw_log_drop_ex: Packet proto= ... dropped by vpn_decrypt_verify Reason: request_link_resolving failed;
;fw_log_drop_ex: Packet proto= ... dropped by vpn_decrypt_verify Reason: Retransmission of a held connection, dropping the packet ...;
;fw_log_drop_ex: Packet proto=17 IP_address_of_Gateway:Port -> IP_address_of_VPN_peer:18234 dropped by fwhold_expires Reason: held chain expired;
;fw_log_drop_ex: Packet proto=50 ... dropped by vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet;
Issue is more likely to occur with traffic originating from behind DAIP devices.
VPN Links are not added properly to kernel table 'resolved_link' (table id 404) due to changes in the infrastructure code introducing IPv6 in R76 and above.