Dear all,
We have a site-to-site VPN community. Central Device is Resilience NE20,
Satalite devices are Nokia IP30/IP40. Central VPN gateway installed Checkpoint
NGX R60 with HFA05, SmartCenter version is NGX R65.
>From last week, one remote site using IP40 got into trouble, the VPN
>connection up and down several time a day.
Here is what I have done for troubleshooting:
1. The internet of remote site is PPPoE, physical line is fiber, ISP has
confirmed that the line is OK.
2. When the VPN connection is down, I can still saw packets arrived at central
gateway via SmartView Tracker.
3. I have compared the configuration between problem device and others, the
configuration seemed OK.
4. I have detached the problem edge object from the community in
SmartDashboard, and deleted the edge object. Then I recreated it and added it
to the community. After several hours, the VPN connection up-and-down continued.
5. I have checked the VPN tunnel via checkpoint cli on central VPN gateway. I
found that there're much more entry under IKE sa and IPsec sa for problem site
than other normal sites. I have attached 3 text files, one is VPN tunnels
information of problem site, other two files are information of normal sites.
The problem has lasted over 1 week, I really need your help to identify the
cause and resolve it.
best regards
yabin yang
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++ information of problem site
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
************************* on remote VPN device IP40 *************************
NokiaIP40:39> show vpn tunnels
site src dst encryption duration
username status
Enterprise 59.61.107.181 218.78.209.65 AES-256/SHA1 0:00:56:48
N/A ok
src start src end dst start dst end encryption
duration
59.61.107.181 59.61.107.181 134.127.0.0 134.127.255.255 AES-128/MD5
0:00:35:38
59.61.107.181 59.61.107.181 134.132.0.0 134.132.255.255 AES-128/MD5
0:00:46:14
134.153.19.0 134.153.19.255 218.78.209.65 218.78.209.65 AES-128/MD5
0:00:56:47
59.61.107.181 59.61.107.181 218.78.209.65 218.78.209.65 AES-128/MD5
0:00:56:42
134.153.19.0 134.153.19.255 134.132.0.0 134.132.255.255 AES-128/MD5
0:00:56:47
134.153.19.0 134.153.19.255 134.127.0.0 134.127.255.255 AES-128/MD5
0:00:56:48
134.153.19.0 134.153.19.255 134.124.0.0 134.125.255.255 AES-128/MD5
0:00:55:54
134.153.19.0 134.153.19.255 134.122.0.0 134.123.255.255 AES-128/MD5
0:00:56:41
NokiaIP40:40>
************************* on central VPN device NE20 *************************
VPN shell:[/] > /tunnels/show/IKE/peer 0.0.0.38
Peer 0.0.0.38:
1. IKE SA <501dfd4d35d59b54,4a9aad61b9a4d690>:
2. IKE SA <a2f6c84aebaeef41,b5e019cca89336c9>:
3. IKE SA <2ebf19f6015512dc,2bfe2e050c95fba5>:
4. IKE SA <a9d2ea3044de9d55,63a7acfdc926c766>:
5. IKE SA <433bfe1aacb6cc75,7416c886824c9ca3>:
6. IKE SA <7685ea7fc59b27bf,508bbea8b5c47cef>:
7. IKE SA <7955a2c1b607a37f,100aad3968a266e7>:
8. IKE SA <1db629336b386bfc,7636b8b257357f43>:
9. IKE SA <8ade721199dfdd50,32b3c250e480aa2b>:
10. IKE SA <80803df76204ee1c,01ef1647e5934372>:
11. IKE SA <af2adde3001ebac1,792fccbafcc8f40b>:
12. IKE SA <c10d544a8f70cdce,ba6ed5451fce4ecd>:
13. IKE SA <c318192dc1bfc125,835007f010d7f80a>:
14. IKE SA <59f353383c30584c,1f176834a8285294>:
15. IKE SA <3a0dacf667332bb5,19befd44c1e0af5d>:
16. IKE SA <137d31e9dcb41f84,6a450b4984bf2138>:
17. IKE SA <aaac65b9abfa73bb,7956e27ec54b32d9>:
VPN shell:[/] > /tunnels/show/IPSEC/peer 0.0.0.38
Peer 0.0.0.38:
INBOUND:
1. 0xa74a7de9
2. 0x5fe28dc2
3. 0xb5ebbc52
4. 0x941113a8
5. 0xfa8b153d
6. 0x9327a72
7. 0xe6da70d6
INBOUND:
1. 0xeca8ec2a
2. 0xc3883555
3. 0xac06a3d0
4. 0x5ebf4a2e
5. 0x68e59041
6. 0xc75bd4e2
7. 0xd79df5de
8. 0xe2d271fb
INBOUND:
1. 0x3cdc9541
2. 0xf82230fc
3. 0x263df9d7
4. 0x8bf825d9
5. 0xc55c185d
6. 0xe6bbefef
7. 0xe4e080ff
OUTBOUND:
1. 0x2c6ec23a
2. 0x2c6ec23c
3. 0x2c6ec23e
4. 0x2c6ec240
5. 0x2c6ec242
6. 0x2c6ec244
7. 0x2c6ec246
VPN shell:[/] >
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++ information of working site
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
************************* on remote VPN device IP40 *************************
NokiaIP40:4> show vpn tunnels
site src dst encryption duration
username status
Enterprise 218.16.240.210 218.78.209.65 AES-256/SHA1 0:07:18:10
N/A ok
src start src end dst start dst end encryption
duration
134.142.19.0 134.142.19.255 218.78.209.65 218.78.209.65 AES-128/MD5
0:00:27:42
218.16.240.210 218.16.240.210 134.132.0.0 134.132.255.255 AES-128/MD5
0:00:44:38
134.142.19.0 134.142.19.255 134.127.0.0 134.127.255.255 AES-128/MD5
0:00:31:44
134.142.19.0 134.142.19.255 134.132.0.0 134.132.255.255 AES-128/MD5
0:00:37:38
218.16.240.210 218.16.240.210 218.78.209.65 218.78.209.65 AES-128/MD5
0:00:42:43
134.142.19.0 134.142.19.255 134.122.0.0 134.123.255.255 AES-128/MD5
0:00:01:15
134.142.19.0 134.142.19.255 134.124.0.0 134.125.255.255 AES-128/MD5
0:00:09:37
NokiaIP40:5>
************************* on central VPN device NE20 *************************
VPN shell:[/] > /tunnels/show/IKE/peer 0.0.0.23
Peer 0.0.0.23:
1. IKE SA <3ac677291d7e84ad,0149f16cd735e215>:
VPN shell:[/] > /tunnels/show/IPSEC/peer 0.0.0.23
Peer 0.0.0.23:
INBOUND:
1. 0xb59f12e0
2. 0xbb77f7b0
3. 0x177f9ede
4. 0xf067e293
5. 0xa939f955
6. 0xf1d1235b
7. 0xf790b8a8
OUTBOUND:
1. 0xc802a6ae
2. 0xc802a6b0
3. 0xc802a6b1
4. 0xc802a6b2
5. 0xc802a6b3
6. 0xc802a6b4
7. 0xc802a6b6
VPN shell:[/] >
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++ information of another working site
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
************************* on remote VPN device IP40 *************************
NokiaIP40:36> show vpn tunnels
site src dst encryption duration
username status
Enterprise 121.34.57.71 218.78.209.65 AES-256/SHA1 0:06:15:32
N/A ok
src start src end dst start dst end encryption
duration
121.34.57.71 121.34.57.71 134.127.0.0 134.127.255.255 AES-128/MD5
0:00:14:09
134.147.19.0 134.147.19.255 218.78.209.65 218.78.209.65 AES-128/MD5
0:00:27:28
121.34.57.71 121.34.57.71 134.132.0.0 134.132.255.255 AES-128/MD5
0:00:32:02
121.34.57.71 121.34.57.71 218.78.209.65 218.78.209.65 AES-128/MD5
0:00:18:28
134.147.19.0 134.147.19.255 134.132.0.0 134.132.255.255 AES-128/MD5
0:00:25:13
134.147.19.0 134.147.19.255 134.127.0.0 134.127.255.255 AES-128/MD5
0:00:27:01
134.147.19.0 134.147.19.255 134.128.0.0 134.128.255.255 AES-128/MD5
0:00:50:21
134.147.19.0 134.147.19.255 134.124.0.0 134.125.255.255 AES-128/MD5
0:00:26:34
134.147.19.0 134.147.19.255 134.122.0.0 134.123.255.255 AES-128/MD5
0:00:27:19
NokiaIP40:37>
************************* on central VPN device NE20 *************************
VPN shell:[/] > /tunnels/show/IKE/peer 0.0.0.25
Peer 0.0.0.25:
1. IKE SA <3744df03d0218304,33266f199b42e50c>:
VPN shell:[/] > /tunnels/show/IPSEC/peer 0.0.0.25
Peer 0.0.0.25:
INBOUND:
1. 0x895bafe8
2. 0xa786cba9
3. 0x20ed8f5
4. 0xe288b602
5. 0xa81e6e00
6. 0xcd95a38a
7. 0x9422137d
8. 0x865dc83b
9. 0x24639564
OUTBOUND:
1. 0x18985372
2. 0x18985373
3. 0x18985374
4. 0x18985375
5. 0x18985376
6. 0x18985377
7. 0x18985378
8. 0x1898537a
9. 0x1898537b
VPN shell:[/] >
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
