Knowledge Search


[SRX] VPN connectivity between Juniper SRX and Checkpoint firewall is unstable

  [KB24037] Show Article Properties

This article describes the issue of the VPN connectivity between the SRX device and Checkpoint firewall being unstable.
  • VPN Site-to-site tunnel is experiencing intermittent packet loss.

  • If the traffic is sent from a server behind SRX over the tunnel towards the CheckPoint firewall, then it succeeds; but, most of the time, the other way round does not work.

How to Troubleshoot:

  • Capture the packets on each side of the tunnel interfaces.

  • Identify the time span, in which traffic was being sent. A window of 1 minute should be enough.

The following is an example of packet capture analysis on both the CheckPoint and SRX. The following time span was picked to match the capture on both ends:


From the perspective of SRX:

CheckPoint is sending ESP traffic to SRX. However, it is sending 6 different SPIs over a period of 2 minutes:

  1. 14:57:28.635970 > ESP(spi 0x1fd6e665,seq 0x9235)

  2. 14:58:01.561824 > ESP(spi 0x20b8ef23,seq 0x31e)

  3. 14:57:28.613804 > ESP(spi 0x33f711fc,seq 0x6b6c2)

  4. 14:57:28.605104 > ESP(spi 0x8aba6fc1,seq 0x1cbf2)

  5. 14:57:32.218588 > ESP(spi 0x9c236484,seq 0x77b)

  6. 14:59:08.435390 > ESP(spi 0xca544567,seq 0xd)

From the perspective of the CheckPoint firewall:

Checkpoint is receiving ESP traffic from SRX. However,  SRX is sending 1 SPI over the same time frame:
14:57:28.604671 > ESP(spi 0x0adbbe23,seq 0x23e0a)


You have to use one of the following options:

Option A:

  • Collect the ACL details from the CheckPoint firewall and adjust the ACL on the SRX device. When this is done, SRX will be able to create the same number of SPI's as the CheckPoint firewall; so the traffic will flow in the matching SPI over the VPN tunnel and will not get dropped.

Option B:

  • Change the CheckPoint setting to force it to send only one SPI for all the subnets; that is one tunnel for 0/0. This way, all the traffic will be sent via the SPI and SRX will respond properly.

  • Make sure to select the Tunnel Only option in the CheckPoint firewall. Do not select the Routing option, as this could send unintended traffic over the tunnel and potentially cause unwanted results.
Related Links: