https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/109732#M413 <P>Hi,</P><P>&nbsp;</P><P>We are hitting this limitations in Maestro architecture :</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk148074" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk148074</A></P><P>&nbsp;</P><P>-------</P><UL><LI>It is not supported to configure a Scalable Platform 40000 / 60000 object or a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.</LI><LI>It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a a Scalable Platform 40000 / 60000 or a Maestro Security Group.</LI></UL><P>&nbsp;</P><P>-------</P><P>We are redirecting the remote access traffic to a site to site VPN.</P><P>&nbsp;</P><P><SPAN class="uiOutputText">Client VPN &lt;====Remoteaccess===&gt; 80.30SP&lt; ====SITE 2 SITE VPN======&gt; Azure GW &lt;--VNET--&gt; Server</SPAN></P><P>SG don't like and break TCP session. It's not supported&nbsp; yet, there is an RFE coming.</P><P>&nbsp;</P><P>However do you have an idea as a workaroud?</P><P>We were thinking NATting the remote access traffic behind a pool before sending it to the VPN ...</P><P>Thanks for your help</P><P>&nbsp;</P><P>JB</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Feb 2021 20:57:18 GMT jeanbruno 2021-02-03T20:57:18Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/109732#M413 <P>Hi,</P><P>&nbsp;</P><P>We are hitting this limitations in Maestro architecture :</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk148074" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk148074</A></P><P>&nbsp;</P><P>-------</P><UL><LI>It is not supported to configure a Scalable Platform 40000 / 60000 object or a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.</LI><LI>It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a a Scalable Platform 40000 / 60000 or a Maestro Security Group.</LI></UL><P>&nbsp;</P><P>-------</P><P>We are redirecting the remote access traffic to a site to site VPN.</P><P>&nbsp;</P><P><SPAN class="uiOutputText">Client VPN &lt;====Remoteaccess===&gt; 80.30SP&lt; ====SITE 2 SITE VPN======&gt; Azure GW &lt;--VNET--&gt; Server</SPAN></P><P>SG don't like and break TCP session. It's not supported&nbsp; yet, there is an RFE coming.</P><P>&nbsp;</P><P>However do you have an idea as a workaroud?</P><P>We were thinking NATting the remote access traffic behind a pool before sending it to the VPN ...</P><P>Thanks for your help</P><P>&nbsp;</P><P>JB</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Feb 2021 20:57:18 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/109732#M413 jeanbruno 2021-02-03T20:57:18Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110454#M415 <P>i got the answer from Check Point, it's not supported on 80.30SP . A hotfix is needed with RFE...</P><P>sk147033</P><P>Thanks</P><P>&nbsp;</P> Wed, 10 Feb 2021 14:39:43 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110454#M415 jeanbruno 2021-02-10T14:39:43Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110456#M416 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/51665">@jeanbruno</a>&nbsp;<BR />Very interesting. We also have a customer with a migrated Maestro installation with a setup similar to this you described.<BR />We see packet drops after 50s (TCP End Timer value) on the packets coming from the server back to the client.<BR />You can see it with "g_fw ctl zdebug drop | grep &lt;hidenat-ip-fw&gt;"<BR />Strange is that the drops are intermittent.</P><P>Workaround for now is a incoming fw rule which allows any traffic from server to vpn-client.</P><P>Do you have the same behavior at your installation?</P><P>Thanks,<BR />Peter</P> Wed, 10 Feb 2021 14:43:21 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110456#M416 Peter_Baumann 2021-02-10T14:43:21Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110457#M417 <P>Hi Peter,</P><P>What version are you running?</P><P>I got bad TCP séquences,first SYN not seen. UDP seemed ok. i didnt do zdebug drop cause TAC confirmed the not supported topology.</P><P>Client to Site Traffic over Site to Site VPN Tunnel is supported only in 81.10 according to CP.</P> Wed, 10 Feb 2021 14:52:30 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110457#M417 jeanbruno 2021-02-10T14:52:30Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110466#M418 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/51665">@jeanbruno</a>&nbsp;<BR />Customer is using R80.30SP with JHF which exactly I cannot see since I have no access to the fw right now.</P> Wed, 10 Feb 2021 15:49:17 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110466#M418 Peter_Baumann 2021-02-10T15:49:17Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110467#M419 <P>Ok maybe same troubles than us. If you want full VPN support on 80.30SP you need to contact your sales CP and ask for the hotfix though RFE</P><P>And it can be installed only on top of Jumbo take 47.</P> Wed, 10 Feb 2021 15:57:57 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/80-30SP-and-VPN-routing/m-p/110467#M419 jeanbruno 2021-02-10T15:57:57Z