We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

IPSEC problems with Checkpoint RG55 and higher

  • Type: Knowledgebase
  • Date changed: 5 months ago
Solution #00005116 
This solution replies to:
- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x


The IPSEC Tunnel goes down at phase 2 rekeying with Checkpoint. Messages like the following ones are generated in the ike log:message_parse_payloads: reserved field non-zero: 2
dropped message from port 500 due to notification type PAYLOAD_MALFORMED


Additionally, if multiple subnets are set up at a location, data can possibly not be transferred through all of the tunnel. 


The rekeying mechanism fails because the isakmp uses the old SA and not the new one. The option KeepOneReplacedSA keep multiple instances of the SAs.


This option is enalbed as default wit KeepOneReplacedSA=1 in the isakmpd.conf. It is possible to change this value via the tunnel configuration. Maybe this option was manually disabled in the "RAW IPSec" settings.

























If the option is really set to "0", then just delete the entry  KeepOneReplacedSA=0 to enable the default settings.



Link to This Page: