DROP PACKET IPSEC
Datatica
Newbie ✭
Over several months we have collected several IPSEC packets dropped, the maximum number collected has been 43 million. The logs do not give any information, they simply mention that the packet has been dropped.
All we have is the following image:
A message where it says that the port has changed from 500 to 4500 and since then no messages have been dropped.
Is it possible that it is because of an old version of the devices?
Category: Entry Level Firewalls
0
Answers
UDP port 500 is for Internet Key Exchange (IKE)
UDP port 4500 is for IPSec NAT-Traversal (NAT-T) ie the endpoint is behind a device performing NAT on the source address
But then why does the sonicwall drop the packets?
Do you think the traffic should be allowed, or not?
Yes, in fact all connections are allowed from that IP address, but for some reason for a while the connections start dropping for no apparent reason.
That's the strange thing.
There are rules for each VPN set up and all ports are allowed.
IKE UDP 500 is to start a connection, if during P1 negotiation the remote endpoint is behind a NAT device, this will move to UDP 4500.
Is the remote endpoint behind a NAT device?
Also your logs are from an external syslog collector and may not contain all the information.
Yes, both devices are from a router with the nat configured, what would be the correct procedure to prevent those messages from being dropped?
If the event is benign you can disable sending this event to the syslog.
Device Log Settings Expand VPN/VPN IPSEC/ESP Drop the event ID 533 is populated, turn off the SYSLOG, it will still be logged in the GUI
I would like to solve the reason why they are being dropped, disabling the not sending logs does not solve it, since so many dropped packets could affect the sonicwall performance.
I assume the firewall is expecting them on 500 and dropping them on 4500, or vice-versa.
Are the payload packets inside the tunnel actually being dropped?
No, apparently they are not having communication problems, as it is suspected that this occurs when the tunnel is established, and once it is established no more dropping occurs.