https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59423#M12002 <P>Hi,</P><P>guys i need a help from you. one of our cutomer has AD servers between a IPSec vpn tunnel. from ADserver 49152-65535 dynamics ports are not open, .both tunnel source and destination all ports are allowed.but there's no logs that prevent those ports Is there any specific configuration should do to allow those traffic?</P> Thu, 01 Aug 2019 08:29:26 GMT samtech4u 2019-08-01T08:29:26Z https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59423#M12002 <P>Hi,</P><P>guys i need a help from you. one of our cutomer has AD servers between a IPSec vpn tunnel. from ADserver 49152-65535 dynamics ports are not open, .both tunnel source and destination all ports are allowed.but there's no logs that prevent those ports Is there any specific configuration should do to allow those traffic?</P> Thu, 01 Aug 2019 08:29:26 GMT https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59423#M12002 samtech4u 2019-08-01T08:29:26Z https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59480#M12021 <P>It should work out of the box with ANY-ANY-Accept on the VPN rule. Do you see any suspicious drops?</P> Fri, 02 Aug 2019 10:43:47 GMT https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59480#M12021 _Val_ 2019-08-02T10:43:47Z https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59482#M12023 <P>For the dynamic communication via Microsoft protocols you can use the "ALL_DCE_RPC" service. With these service you allow the dynamicly used high ports, without defined them explicitly.</P><P>Follow&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65676" target="_self">configuration of rules with service all_dce_rpc</A></P><P>regards</P><P>Wolfgang</P> Fri, 02 Aug 2019 11:42:41 GMT https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59482#M12023 Wolfgang 2019-08-02T11:42:41Z https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59483#M12024 <P>Right,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>, that would be my second question. Without that, however, one should see some "telling" drops.</P> Fri, 02 Aug 2019 11:54:19 GMT https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59483#M12024 _Val_ 2019-08-02T11:54:19Z https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59514#M12027 <P>What connection do you have between the two VPN peers? It might be a MTU related issue.</P><P>Lowering ext. IF MTU or enabling MSS clamping for VPN might help in such cases.</P><P>You may test by using ping with bigger packet sizes and setting DF bit.</P> Fri, 02 Aug 2019 18:30:19 GMT https://community.checkpoint.com/t5/General-Topics/Dynamic-ports-block-for-AD-Server/m-p/59514#M12027 Norbert_Bohusch 2019-08-02T18:30:19Z