topic Re: I cannot connect to the internal network after disconnecting from the VPN endpoint in SASE and Remote Access

I cannot connect to the internal network after disconnecting from the VPN endpoint

DiegoFretes — Thu, 10 Jul 2025 14:29:45 GMT

I cannot connect to the internal network after disconnecting from the VPN endpoint. I have the compliance and policy server blades active.

Apparently disconnecting from the vpn does not remove the vpn gw from your routing table, only by uninstalling the endpoint and rebooting the computer can you reconnect to the internal resources.

Anyone had a similar case or could guide me to the resolution of this case?

route print connected to the vpn:

Route print disconected to the vpn:

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

Chris_Atkinson — Thu, 10 Jul 2025 14:52:24 GMT

This would not be considered normal, have you engaged with TAC on this issue?

Please confirm OS and Endpoint client version?

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

DiegoFretes — Thu, 10 Jul 2025 18:56:38 GMT

I wanted to try to solve it before communicating with the tac.

This happens on any version of endpoint on any OS (it has happened to me on windows as well as on MAC).

In the specific case of the shared images, it is windows10 and E88.70.

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

the_rock — Thu, 10 Jul 2025 19:20:20 GMT

One sec, just to make sure I get this right. Its totally normal if you are remote once you disconnect that access breaks. Now, if you are at the office, it would make no sense to connect to VPN to begin with...am I missing something?

Andy

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

DiegoFretes — Thu, 10 Jul 2025 19:24:17 GMT

Here's what happens:
In the evening, I log on from home for work, connect to the VPN, finish my tasks and log off.
The next day, I go back to the office, but I can no longer access any office resources without having to uninstall the vpn agent.

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

the_rock — Thu, 10 Jul 2025 19:27:17 GMT

Ah, got it, makes sense now. I would try E89 client, if no luck, would 100% open TAC case. Just to be positive its not PC issue, maybe try same client on another machine, see if issue is there.

Andy

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

PhoneBoy — Thu, 10 Jul 2025 19:35:45 GMT

This is a function of the site you are connecting to, which can do things like restrict your ability to use the Internet when not connected to the VPN.
The administrator can allow access to the local network with something like: https://support.checkpoint.com/results/sk/sk130832

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

the_rock — Thu, 10 Jul 2025 19:49:21 GMT

Hey @PhoneBoy

I always wondered about that and forgive me if this may sound like a dumb question, but I always thought if hub mode is off (split tunnel), that option would be always greyed out and when connected to VPN, ONLY local access would work. By local, I meant whatever is allowed behind the CP gateway/cluster.

No?

Andy

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

PhoneBoy — Thu, 10 Jul 2025 20:13:05 GMT

Hub Mode means Route All Traffic when enabled.
That setting can be left settable by the end user (so-called Client Decide) or it can be forced.
Once you connect to a site that requires/forces the Route All Traffic setting, you cannot disable it.

The ability for the remote access client to connect to their local network is only permitted in Hub Mode if the relevant option is set as described.

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

the_rock — Thu, 10 Jul 2025 20:25:18 GMT

Right right, thats true, but I think you confirmed what I suspected...if hub mode is off, then there does not seem to be the need to modify anything with the file.

Andy

Re: I cannot connect to the internal network after disconnecting from the VPN endpoint

DiegoFretes — Mon, 21 Jul 2025 17:24:01 GMT

I found in the cpinfo that the endpoint has in the desktop policy a rule called rule 3 that denies the traffic. But I don't see this rule in the desktop policy in the smartdashboard. Is there any way to remove it by console?

)

:rule-3 (

:src ()

:dst (

:compound (

: ("All Users"

:type (usrgroup)

:at (Any

:type ()

:ipaddr ()

)

:svc ()

:act (Block)

:trk (None)