topic Re: Traffic initiated from Lan to VPN Endpoint Client Blocked in General Topics

Traffic initiated from Lan to VPN Endpoint Client Blocked

jb8578 — Thu, 21 Aug 2025 14:49:04 GMT

Recently migrated from a Cisco ASA to a CP3800 R82. With the Cisco we were able to reach the VPN clients with traffic initiated from the Lan. This isn't happening with the CP. Logs show Lan initiated traffic being encrypted on the gateway, but that is where it ends. I don't have a NAT setup at this time between the VPN subnet and Lan. Not sure if that is the missing piece or it's something else.

Policy rules:

1. source: vpn@any, dest: intLan, VPN: RemoteAccess, Serv&app: Any, Action: Accept
2. source: intLan, dest: Any, VPN: Any, Serv&app: Any, Action: Accept
3. source: VPNsubnet, dest: intLan, VPN: Any, Serv&app: Any, Action: Accept
4. Cleanup rule

Added Rule #3 but didn't make a difference.

If the Endpoint Client only applies policy assigned to the VPN community (RemoteAccess), then that would explain what is happening.

Thanks for any help.

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

PhoneBoy — Thu, 21 Aug 2025 16:58:06 GMT

By default, this is blocked in Global Properties.
Enable Back Connections and push policy.

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

jb8578 — Thu, 21 Aug 2025 17:27:47 GMT

That is currently enabled.

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

the_rock — Thu, 21 Aug 2025 18:12:10 GMT

Just to make sure Im not missing anything...are you saying when people connect with VPN client, they cant access anything behind the fw?

Andy

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

the_rock — Thu, 21 Aug 2025 18:17:19 GMT

Now that I re-read your post, I believe NAT could be the issue. Make sure vpnsubnet object is natted in smart console, just do behind gateway.

Andy

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

jb8578 — Thu, 21 Aug 2025 18:23:31 GMT

VPN clients when connected, can access anything just fine on the network, without a NAT. It's when for example my PC on the Lan tries to connect to a VPN client, that it does not work. Ping, remote desktop, anything....does not work.

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

the_rock — Thu, 21 Aug 2025 18:41:23 GMT

Ah, got it now...so can you do this when trying on the fw (or if its cluster, whichever is active atm)

fw ctl zdebug + drop | grep x.x.x.x

Just replace x.x.x.x with IP you are trying to connect to

ctrl+c to stop

Andy

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

jb8578 — Thu, 21 Aug 2025 19:28:40 GMT

Nothing showed up in dubug on the cluster. Attached log showing traffic being encrypted to the vpn client.

Checked trac logs on the client, nothing with my source IP in it.

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

jb8578 — Thu, 21 Aug 2025 19:31:15 GMT

Client is E88.30

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

the_rock — Thu, 21 Aug 2025 19:36:28 GMT

Can you attach full log please? Also, maybe worth trying E89 client version as a test.

Andy

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

the_rock — Thu, 21 Aug 2025 19:46:18 GMT

Now that I think about it, lets start with basics, as they say.

1) what subnet is assigned for vpn clients?

2) when connection fails to connect back from lan, what do you see when running route print from your machine?

3) If you run ip r g and then IP of the vpn client, does it show correct info? ie : ip r g 10.10.10.50

4) if no drops are observed, then we can say with high confidence that rules are fine, but to be 100% sure, you can run example 1 from below link on the fw itself, just add dst IP as well, ipp can be 0

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-up_execute.htm

Andy

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

jb8578 — Fri, 22 Aug 2025 12:50:51 GMT

Logs attached.

Tried E89 and no change.

Re: Traffic initiated from Lan to VPN Endpoint Client Blocked

the_rock — Fri, 22 Aug 2025 13:39:34 GMT

I meant smart console log.