topic Re: Route Based VPN Network SA no route in General Topics

Route Based VPN Network SA no route

Henrik_J — Mon, 01 Sep 2025 12:11:51 GMT

Hello!

We are having performance issues with a VPN tunnel solution up to Azure.

So we thought about setting another tunnel up so we can lab / troubleshoot on a designated test network.

Weirdly enough, when the new tunnel was set up (route based), we saw an SA negotiated between one random on prem network and one random Azure network.

This affected production traffic.

What's even weirder, is that when I issued netstat -arn as well as show route in gaia, there were no routes pointing ot the new VPNT-interface, nor had BGP gone up.

BGP is strictly configured with export and import route maps as well, but the neighborship was never formed, nor any routes installed.

I will look into this more tomorrow, but from my understanding, the same VNG was used on the Azure end.

So my question being .... if the Azure VNG initiated an SA between on prem-network A and Azure Network B.

Would Check Point accept that?

In the VPN Community, we have set up One VPN Tunnel per GW, it's also a seperate VPN Community than the other tunnel.
The VPN Domains on both ends have been set to empty groups.

Anyone seen anything similar ?
Anyone can explain how these SAs even formed even without routes being in place?

Re: Route Based VPN Network SA no route

emmap — Tue, 02 Sep 2025 01:08:41 GMT

If you have empty encryption domains on the gateways in the community and this is happening then I would suggest that this would need some VPN debugging etc to get to the bottom of it. TAC can assist with that.

Re: Route Based VPN Network SA no route

the_rock — Tue, 02 Sep 2025 01:11:33 GMT

See if the link I made about this last year helps. Im fairly familiar with aws and azure vpn tunnels, since I must have done close to 50 of them : - )

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

Re: Route Based VPN Network SA no route

the_rock — Tue, 02 Sep 2025 13:30:55 GMT

Also, forgot to mention, for what is worth, I would always use numbered VTIs, as I found with unnumbered ones, it usually works way better if BGP is involved through the tunnel.

Andy

Re: Route Based VPN Network SA no route

Henrik_J — Tue, 02 Sep 2025 13:38:56 GMT

Thank you!

I had time today with the customer to investigate further.

From what I saw from the logs, it looks like Azure was (is) trying to establish the tunnel constantly.
It seems that there was a misconfiguration on the Azure end stating that there some "remote networks" (on prem) behind this new VPN tunnel.

We are setting up a maintenance window to investigate this further, but what I think is happening, is that Azure is actively trying to form SAs towards these on-prem networks as they are defined as remote networks.

While Check Point seems to gladly agree, even if there are no routes in place.

So seemingly peers can affect the SA negotiation like this.

I'll get back once we've tested this more thoroughly.

Re: Route Based VPN Network SA no route

the_rock — Tue, 02 Sep 2025 13:38:24 GMT

Ok, got it! Well, its worth trying on CP end, something like below:

say Azure end is, as an example 10.10.10.0, you can add route in web UI to 10.10.10.0/24 using VTI as DG, just select the right interface.

Andy