topic Azure Site to Site VPN issue. Connection seems to be ok but ping/telnet is not working in General Topics

Azure Site to Site VPN issue. Connection seems to be ok but ping/telnet is not working

Andres_Romero — Tue, 12 Jun 2018 14:51:16 GMT

Hi experts,

We have set up a S2S VPN between azure and a Checkpoint cluster 5400 R77.30 and it seems to be working, since on the azure side as well on the checkpoint side it appears connected.

As you can see in the image, even that it is connected, Azure only show Data out, which is weird since it seems that Checkpoint is not routing the traffic property.

This is confirmed when we try to ping on both sides (ping and telnet are enabled). On the customer side, a traceroute shows that the traffic is not routing properly.

The checkpoint cluster is conformed by the 200.75.50.131 (which is the ip that is routing the traffic) and the 200.75.50.132 (which is the IP that we match on the local network gateway to peer with azure).

The weirdest thing is that on the checkpoint side, traffic seems to be passing.

Is there anything that we are missing on the set up?

Thanks in advance,

Re: Azure Site to Site VPN issue. Connection seems to be ok but ping/telnet is not working

Houssameddine_1 — Tue, 12 Jun 2018 15:18:18 GMT

Checkpoint side seems to be ok to me. you need to do traffic captures to makes sure ESP traffic leaving the checkpoint on the correct interface and capture on azure and logs on azure to see if it is receiving traffic or not or the traffic is being dropped by policy on azure side.

Re: Azure Site to Site VPN issue. Connection seems to be ok but ping/telnet is not working

Andres_Romero — Tue, 12 Jun 2018 19:41:17 GMT

Thanks for your reply. I'm afraid that the customer is not an expert on Checkpoint, so I wonder if you can guide us in how they can do that traffic captures on the checkpoint side.

I'm also wonder if you know if maybe they need to set up some routing information on checkpoint, for me the traffic is stuck on the 200.75.50.131 device and it is not routing it to the gateway (200.75.50.132).

Thanks in advance,

Re: Azure Site to Site VPN issue. Connection seems to be ok but ping/telnet is not working

Houssameddine_1 — Tue, 12 Jun 2018 20:28:46 GMT

For traffic capture you can use tcpdumps and fw monitor please check the following links and you can find great examples on youtube

What is FW Monitor?

A tcpdump Tutorial and Primer with Examples - Daniel Miessler

How to use TCPDUMP Command while troubleshooting CheckPoint Gateways? - YouTube

for the routing we need to understand the topology first.

Thanks