Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ERROR: failed to pre-process packet.

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 8.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      j.jptechworks
      last edited by

      Hi,

      I am having a problem with IPsec between pfSense 1.2.3 and Check Point Firewall.

      I get the following every couple of minuites in the IPsec log:

      Jul 29 14:54:59 racoon: [xxxxx]: INFO: respond new phase 2 negotiation: xx.xx.xxx.xxx[0]<=>xx.xxx.xxx.xxx[0]
      Jul 29 14:54:59 racoon: ERROR: failed to pre-process packet.
      Jul 29 14:54:59 racoon: [xxxxx]: INFO: respond new phase 2 negotiation: xx.xx.xxx.xx[0]<=>xx.xxx.xxx.xxx[0]
      Jul 29 14:54:59 racoon: ERROR: failed to pre-process packet.

      I sshed in and ran racoon in debug/verbose mode. I found the following with the above error:
      "invalid length of payload"

      This error coincides with their telnet connections over this VPN becoming unstable which must be corrected.

      Another IPsec VPN with pfSense on both ends does not have this problem.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        How are your lifetime/timeout values on both ends of the tunnel set?

        Have you tried setting System > Advanced, Prefer old IPsec SAs?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          j.jptechworks
          last edited by

          Phase 1: 28800 seconds
          Phase 2: 3600 seconds

          I did try the prefer old IPsec SAs option but I was unable to ping the other side with it on.

          BTW, great job on the pfSense book. I've found it very helpful.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Are those the timeouts from the Checkpoint side, pfSense, or both?

            Also, does the Checkpoint side have a "data" lifetime setting? you might try increasing that quite a bit.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              j.jptechworks
              last edited by

              Those lifetimes should be on both ends. I do not have access to the checkpoint firewall. I submitted a ticket to have them confirm the lifetimes on Friday and am still waiting for a response.

              Edit: I have received confirmation that the phase 1/phase 2 lifetimes are the same on both ends as I listed above.

              I will ask them about the "data" lifetime setting. Google searches were inconclusive for me. It may take some time for them to respond so I will post back when they do.

              1 Reply Last reply Reply Quote 0
              • J
                j.jptechworks
                last edited by

                The data lifetime is not set on their end. Time only.

                1 Reply Last reply Reply Quote 0
                • J
                  j.jptechworks
                  last edited by

                  I feel I should respond to your question more clearly. To directly answer:

                  The lifetimes are 28800/3600 seconds on both sides. The checkpoint firewall does not have a data lifetime.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Not sure what else you might want to try in that case.

                    Some people have had luck switching hashes or encryption algos with certain devices (e.g. if you're using SHA1 in either phase, use MD5 instead, or vice versa)

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.