7.0.1-5111 - IKEv2 not working because of 169.254.0.0
BWC
Cybersecurity Overlord ✭✭✭
Hi,
did anyone experienced IKEv2 issues, especially in Double NAT situations? I saw this a couple of times, but today a customer migrated from a TZ 500 to a TZ 570 and a former working tunnel to a TZ 270 wasnt coming up anymore.
I did some investigation and the UDP 500 from the TZ 270 arrives at X3 (behind a AVM Fritzbox), but the TZ 570 answers with Source 169.254.0.0, instead of the X3 IP. A recipe for desaster.
The quick fix was to change from IKEv2 to IKEv1 and the tunnel came up properly.
I had similar cases on Gen6 in the past, but I can't recall seeing 169.254.0.0 as Source which is utterly wrong.
The network is back in production and because it's a remote location further debugging is nearly impossible.
@fmadia @MustafaA @MasterRoshi is this a known issue?
--Michael@BWC
Answers
@BWC , I don't think this is a known issue, based on my internal search.
@BWC , what firmware is used on the Gen7 firewall? It could be related to "IKEv2 Cookie Notify" settings. If you have a chance to disable this settings and perform a test, that would be great.
@MustafaA the title of this thread gives it away :) ...its 7.0.1-5111 ... but the Cookie is something I looked already into because Wireshark showed it's Cookie related.
Hopefully the custome is able to test shortly and I'll report back. I already informed another customer with the same exact problem to give it a try.
--Michael@BWC
@BWC , the big title fonts are not big enough to catch my eyes :)
Looking forward to the test result.