It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

IPSEC problems with Checkpoint RG55 and higher

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00005116 
 
Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

The IPSEC Tunnel goes down at phase 2 rekeying with Checkpoint. Messages like the following ones are generated in the ike log:message_parse_payloads: reserved field non-zero: 2
dropped message from 1.2.3.4 port 500 due to notification type PAYLOAD_MALFORMED

 

Additionally, if multiple subnets are set up at a location, data can possibly not be transferred through all of the tunnel. 


 
Solution:

The rekeying mechanism fails because the isakmp uses the old SA and not the new one. The option KeepOneReplacedSA keep multiple instances of the SAs.

 

This option is enalbed as default wit KeepOneReplacedSA=1 in the isakmpd.conf. It is possible to change this value via the tunnel configuration. Maybe this option was manually disabled in the "RAW IPSec" settings.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If the option is really set to "0", then just delete the entry  KeepOneReplacedSA=0 to enable the default settings.

 

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKYXAA4