topic Re: S2S VPN issue with R80.40 JHFA Take 126 in Firewall and Security Management

S2S VPN issue with R80.40 JHFA Take 126

David_C1 — Tue, 23 Nov 2021 15:18:02 GMT

Hi everyone,

I have VPN star community with Check Point R80.40 clustered gateway as center gateway, with 21 Check Point 1430s (locally managed) as satellite gateways. Since applying JHFA Take 126 to the center gateways, one of the VPN tunnels fails to establish from the center gateway to the satellite. The only unique aspect of this satellite gateway is that its "outside" address is NAT'd. In every other way it is configured the same as the 20 other satellite gateways, which still have VPN tunnels successfully established. The satellite gateways are running Gaia R77.20.87 (990173083).

I see JHFA take 126 has a few fixes for NAT-T issues, so I am thinking this is the cause. I do have a support case open, but TAC has been...busy? While I am waiting for them to respond, I thought I'd check in with the community to see if anyone else has a similar scenario.

-Dave

Re: S2S VPN issue with R80.40 JHFA Take 126

PhoneBoy — Mon, 29 Nov 2021 20:31:11 GMT

What JHF were you running previously?

Re: S2S VPN issue with R80.40 JHFA Take 126

David_C1 — Mon, 29 Nov 2021 20:50:28 GMT

I was previously running on Take 102

Re: S2S VPN issue with R80.40 JHFA Take 126

Ilya_Yusupov — Tue, 30 Nov 2021 07:37:07 GMT

Hi @David_C1,

Can you please a bit share more info about the topology? is the Cluster with JHF 126 is behind NAT and doing VPN against SMB device?

Re: S2S VPN issue with R80.40 JHFA Take 126

David_C1 — Tue, 30 Nov 2021 13:45:50 GMT

The cluster with JHF 126 is NOT behind a NAT. The SMB device is behind a NAT. The cluster with JHF 126 is 20 or so other S2S VPNs with other SMB devices that are not behind NATs, it is only this one device that is behind a NAT and which the tunnel is failing to establish.

Re: S2S VPN issue with R80.40 JHFA Take 126

Ilya_Yusupov — Tue, 30 Nov 2021 14:01:25 GMT

@David_C1 ,

Do you see any outputs in dmesg? Any drops under fw ctl zdebug + drop?

i guess the NAT device that doing NAT for the SMB is not CP device, correct?

Re: S2S VPN issue with R80.40 JHFA Take 126

David_C1 — Tue, 30 Nov 2021 14:05:44 GMT

The device doing NAT for the SMB is a Check Point device, but not managed by me. I've uploaded VPN debugs to my case, but support has yet to respond...

Re: S2S VPN issue with R80.40 JHFA Take 126

Ilya_Yusupov — Tue, 30 Nov 2021 14:17:49 GMT

can you share the case number?

Do you know if the NAT device was also upgrade to this JHF?

Re: S2S VPN issue with R80.40 JHFA Take 126

David_C1 — Tue, 30 Nov 2021 15:34:32 GMT

Case number is 6-0003061866.

The NAT device is on R80.20 with JHFA Take 141. It has not been updated recently.

Re: S2S VPN issue with R80.40 JHFA Take 126

Ilya_Yusupov — Tue, 30 Nov 2021 16:30:10 GMT

@David_C1 - Thank You, i will review it and do my best to push it so you can get answers from support.

Re: S2S VPN issue with R80.40 JHFA Take 126

David_C1 — Mon, 06 Dec 2021 18:55:27 GMT

After working a bit with support, I reverted one gateway in the central cluster to JHFA Take 102. When I made that gateway the active, the tunnel came up. Switching the active back to gateway with Take 126, the tunnel failed to come up. I will be sending support more logs soon.