https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98565#M19252 <P>I have a case open with TAC, but wanted to see if anyone had seen anything similar.</P><P>I just find it strange that only the VTIs using BGP required acceleration to be disabled, but the ones without didn't.</P> Thu, 08 Oct 2020 15:18:35 GMT MattElkington 2020-10-08T15:18:35Z https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98457#M19242 <P>Has anyone run into issues using dynamic routing and VTIs post R80.10?</P><P>&nbsp;</P><P>Last weekend I upgraded a customer firewall which was specifically used to terminate route based VPNs on.</P><P>&nbsp;</P><P>6 VTIs configured, 4 numbered (2 for AWS, 2 for Azure), 2 unnumbered (other stuff).</P><P>Post R80.40 upgrade the unnumbered tuinnels came up fine, but both the AWS and Azure ones did not.&nbsp; I could see outbound tunnels established, but nothing inbound, all of these tunnels are additionally using BGP.</P><P>Disabled SecureXL acceleration with "fwaccel off" and they leapt into life, again, enabling SecureXL and then disabling vpn acceleration with "vpn accel off" also allowed traffic to flow.</P><P>Now there may be some other issues going on, in that further examination showed that some of the BGP config was mismatched on the cluster, but I don't think it was this, as when I rolled the R80.40 member back to R80.10 it all worked again.</P><P>I have arranged a new window next weekend to re-attempt, but has anyone else run across anything like this?&nbsp; It feels a weird coincidence that the VTI tunnels using dynamic routing don't work with acceleration, but the others do.</P><P>&nbsp;</P><P>I'm also getting the feeling that ISP redundancy may be a bit iffy under R80.40 as well, as again I have another customer where it doesn't work correctly with acceleration turned on.</P> Wed, 07 Oct 2020 17:32:21 GMT https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98457#M19242 MattElkington 2020-10-07T17:32:21Z https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98488#M19247 <P>If disabling SecureXL solves a problem, the TAC should be involved.<BR /><BR /></P> Thu, 08 Oct 2020 03:07:11 GMT https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98488#M19247 PhoneBoy 2020-10-08T03:07:11Z https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98565#M19252 <P>I have a case open with TAC, but wanted to see if anyone had seen anything similar.</P><P>I just find it strange that only the VTIs using BGP required acceleration to be disabled, but the ones without didn't.</P> Thu, 08 Oct 2020 15:18:35 GMT https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/98565#M19252 MattElkington 2020-10-08T15:18:35Z https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/111660#M21015 <P>Hi Matt,</P><P>I don't know if this is still relevant for you but we are experiencing similar problems:<BR />1 Numbered VTI with Policy-based-routing:</P><P>With secureXL disabled everything works fine. With SecureXL enabled no traffic goes via the tunnel.<BR />Our workaround right now is to disable SecureXL as it's only a very small office and the firewall can handle it easily without SecureXL, but as SecureXL can no longer be disabled persistently it's a problem after reboots (Power outages are common there)</P><P>Where you able to fix your problem?</P><P>Best regards,<BR />Tobias</P> Tue, 23 Feb 2021 21:45:41 GMT https://community.checkpoint.com/t5/General-Topics/R80-40-SecureXL-VTI-and-Dynamic-Routing/m-p/111660#M21015 Tobias_Absmann 2021-02-23T21:45:41Z