topic Re: SD WAN and Domain based VPN in SD-WAN

SD WAN and Domain based VPN

cjames88 — Thu, 18 Dec 2025 15:29:28 GMT

I'm looking for people that are successfully using SDWAN and domain based VPN on both GAIA and GAIA embedded devices. We are currently waiting on our vendor to get a time scheduled with a checkpoint engineer to figure out why SD WAN won't allow traffic to pass thru the tunnel in our environment. Our vendor has confirmed we did everything correct per checkpoint documentation, which is why it's been escalated to checkpoint. At this point I'm just looking for anyone that has this successfully working and can tell me some things they ran into not in the documentation I should take a look at.

Re: SD WAN and Domain based VPN

AmirArama — Thu, 18 Dec 2025 17:27:12 GMT

Hi,

please send me in private the SR number and I will try to assist,

Re: SD WAN and Domain based VPN

the_rock — Thu, 18 Dec 2025 17:59:05 GMT

I have access from Perimeter 81 (sase) to CP onprem and Azure cluster, mind you, it is route based.

Re: SD WAN and Domain based VPN

cjames88 — Thu, 18 Dec 2025 18:32:34 GMT

I don't actually have the SR, my vendor has it. At this point I'm just grasping at straws trying to figure out what I missed.

Re: SD WAN and Domain based VPN

cjames88 — Thu, 18 Dec 2025 18:33:26 GMT

This is a pretty different scenario. This is checkpoint to checkpoint VPN with SD WAN running on the appliance. From best we can tell SD WAN isn't letting traffic be sent across the tunnels.

Re: SD WAN and Domain based VPN

the_rock — Thu, 18 Dec 2025 18:34:57 GMT

Some questions

1) Is tunnel up?

2) If yes to 1, is it ONLY failing one way?

3) If no to 1, which phase does ot fail on, phase 1 or 2?

4) Did you run fw monitor/tcpdump/zdebug to see why it fails?

Re: SD WAN and Domain based VPN

cjames88 — Thu, 18 Dec 2025 18:37:53 GMT

Mostly yes to all of the above. SD WAN sees the tunnel as up. At times during testing we've been able to get traffic one way and not the other. At other times no traffic period. The monitor commands do not show why it's not being encrypted. As best we can tell SD WAN is simply not sending the traffic across the tunnel. We can see the SD WAN dashboard that traffic isn't even hitting the steering object despite having the rules from the guide in place.

Re: SD WAN and Domain based VPN

the_rock — Thu, 18 Dec 2025 18:40:38 GMT

Fair enough, thats good info to go on. Follow up question...how is tunnel management tab set in VPN community in smart console? I ask this, because it is 100% relevant...reason I say that is because say if you have mix of hosts/subnets in enc.domain, then it would change what option to select.

Re: SD WAN and Domain based VPN

the_rock — Thu, 18 Dec 2025 18:41:51 GMT

@cjames88

And also, how is link selection set?

Re: SD WAN and Domain based VPN

AmirArama — Thu, 18 Dec 2025 19:02:42 GMT

in general, overlay traffic must match SD-WAN overlay rule.

you can attach the following outputs from both peers here if you prefer

fw monitor -F "<src>,0,<dst>,0,0" -F "<dst>,0,<src>,0,0"
example:
fw monitor -F "192.168.1.1,0,192.168.10.1,0,0" -F "192.168.10.1,0,192.168.1.1,0,0"

fw ctl zdebug + drop while greping client or server IP
for example:
fw ctl zdebug + drop | grep 192.168.10.1

#initiate the connection

check which tunnel chosen to carry the conn:
vpn tu conn <src> - <dst> - - (run that while the conn already opened)

copy the outputs.

you can also check on which SD-WAN rule the traffic matches if you don't see it in logs by:
fw ctl zdebug -m SDWANRB + all | grep PROB
#initiate the connection