CheckPoint VPN tunnel up and kernel debug shows ‘dropped by vpn_encrypt_chain Reason: no error’

Checkpoint VPN tunnel up but traffic is not passing and Smartview tracker showing logs for no valid SA and encryption fail when debug traffic it shown dropped by vpn_encrypt_chain Reason: No error; When I checked the tunnel status in vpn tu both phase-1 and phase-2 are up.

 

Smartview tracker logs.

Drop :

encryption fail reason: Packet is dropped because there is no valid SA – please refer to solution sk19423 in SecureKnowledge Database for more information

Reject :

encryption failure : no response from peer

fw ctl zdebug :

[Expert@FW:0]# fw ctl zdebug drop | grep 192.168.3.3
 ;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 192.168.1.137:2048 -> 192.168.3.3:62415 dropped by vpn_encrypt_chain Reason: No error; 
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 192.168.1.137:2048 -> 192.168.3.3:62414 dropped by vpn_encrypt_chain Reason: No error;
 ;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 192.168.1.137:2048 -> 192.168.3.3:62413 dropped by vpn_encrypt_chain Reason: No error; 
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 192.168.1.137:2048 -> 192.168.3.3:62412 dropped by vpn_encrypt_chain Reason: No error;

Resolution :

It got resolved by resetting IPSec and IKEs SA’s with the help of vpn tu command..

FW-UTM-I> vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

7

Enter IP of peer (format: xxx.xxx.xxx.xxx): 1.2.3.4  <--(Type & IP and hit enter)

Repeat the same process on peer gateway and wait till renegotiation usually it will take time.

A R Amoodi

I’ m Abdul Rahman Amoodi, by Profession Network and Security Administrator by passion author and founder of Blogsol.org.

Be the first to comment

Leave a Reply

Your email address will not be published.


*