Knowledge Search


×
 

[SRX] VPN connectivity between Juniper SRX and Checkpoint firewall is unstable

  [KB24037] Show Article Properties


Summary:
This article describes the issue of the VPN connectivity between the SRX device and Checkpoint firewall being unstable.
Symptoms:
  • VPN Site-to-site tunnel is experiencing intermittent packet loss.

  • If the traffic is sent from a server behind SRX over the tunnel towards the CheckPoint firewall, then it succeeds; but, most of the time, the other way round does not work.
Cause:

Solution:
How to Troubleshoot:

  • Capture the packets on each side of the tunnel interfaces.

  • Identify the time span, in which traffic was being sent. A window of 1 minute should be enough.

The following is an example of packet capture analysis on both the CheckPoint and SRX. The following time span was picked to match the capture on both ends:

14:57:28

From the perspective of SRX:


CheckPoint is sending ESP traffic to SRX. However, it is sending 6 different SPIs over a period of 2 minutes:

  1. 14:57:28.635970 205.241.13.1 > mdnxafj02a-reth0.usi.net: ESP(spi 0x1fd6e665,seq 0x9235)

  2. 14:58:01.561824 205.241.13.1 > mdnxafj02a-reth0.usi.net: ESP(spi 0x20b8ef23,seq 0x31e)

  3. 14:57:28.613804 205.241.13.1 > mdnxafj02a-reth0.usi.net: ESP(spi 0x33f711fc,seq 0x6b6c2)

  4. 14:57:28.605104 205.241.13.1 > mdnxafj02a-reth0.usi.net: ESP(spi 0x8aba6fc1,seq 0x1cbf2)

  5. 14:57:32.218588 205.241.13.1 > mdnxafj02a-reth0.usi.net: ESP(spi 0x9c236484,seq 0x77b)

  6. 14:59:08.435390 205.241.13.1 > mdnxafj02a-reth0.usi.net: ESP(spi 0xca544567,seq 0xd)

From the perspective of the CheckPoint firewall:


Checkpoint is receiving ESP traffic from SRX. However,  SRX is sending 1 SPI over the same time frame:
14:57:28.604671 mdnxafj02a-reth0.usi.net > 205.241.13.1: ESP(spi 0x0adbbe23,seq 0x23e0a)


Workaround:


You have to use one of the following options:

Option A:

  • Collect the ACL details from the CheckPoint firewall and adjust the ACL on the SRX device. When this is done, SRX will be able to create the same number of SPI's as the CheckPoint firewall; so the traffic will flow in the matching SPI over the VPN tunnel and will not get dropped.

Option B:

  • Change the CheckPoint setting to force it to send only one SPI for all the subnets; that is one tunnel for 0/0. This way, all the traffic will be sent via the SPI and SRX will respond properly.

  • Make sure to select the Tunnel Only option in the CheckPoint firewall. Do not select the Routing option, as this could send unintended traffic over the tunnel and potentially cause unwanted results.
Related Links: