Traffic does not pass over VPN tunnel after upgrade of Security Gateway to R76 or R77
|Platform / Model
- After upgrade of Security Gateway to R76 or R77, traffic does not pass over VPN tunnel - tunnel is established correctly, however traffic over the VPN tunnel is dropped when the IPSec VPN 'Link Selection' is configured on Security Gateway or one of the VPN peers to '
Use probing. Link redundancy mode:' (either 'High Availability', or 'Load Sharing').
- Setting the IPSec VPN 'Link Selection' on the Security Gateway from '
Use probing. Link redundancy mode:' to '
Always use this IP address:' and installing policy resolves the issue - traffic passes over VPN tunnel.
- Kernel debug on Security Gateway ('
fw ctl debug -m fw + drop') shows the following drops:
- ;fw_log_drop_ex: Packet proto= ... dropped by vpn_decrypt_verify Reason: request_link_resolving failed;
- ;fw_log_drop_ex: Packet proto= ... dropped by vpn_decrypt_verify Reason: Retransmission of a held connection, dropping the packet ...;
- ;fw_log_drop_ex: Packet proto=17 IP_address_of_Gateway:Port -> IP_address_of_VPN_peer:18234 dropped by fwhold_expires Reason: held chain expired;
- ;fw_log_drop_ex: Packet proto=50 ... dropped by vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet;
- Issue is more likely to occur with traffic originating from behind DAIP devices.
VPN Links are not added properly to kernel table '
resolved_link' (table id 404) due to changes in the infrastructure code introducing IPv6 in R76 and above.
Note: To view this solution you need to