topic Re: Stuck at 47% when RA VPN from internal network in SASE and Remote Access

Stuck at 47% when RA VPN from internal network

Mk_83 — Fri, 27 Sep 2024 05:50:24 GMT

Hello everyone,

Thanks for your attention to this matter.

Currently I'm unable connect Remote Access VPN from my internal network, although when I'm tried to connect from external, at home still successfully.

Product: 6600 appliance
Version: R81.20 take 84
Endpoint Security version E86.50, 88.40,...

Connect RA VPN using NATed IP (Statically NATed by ISP-Peplink)

When connecting to RA VPN from a device in the internal network, it gets stuck at 47% "User *** authenticated by FireWall-1 authentication".

Then failed:

Log showing no error:

Already tried:

- In Global properties > RA > Enable Back Connections (from gateway to client).

- Set "No" at Network location awareness.

https://support.checkpoint.com/results/sk/sk129492
https://support.checkpoint.com/results/sk/sk156172
https://support.checkpoint.com/results/sk/sk92716
https://support.checkpoint.com/results/sk/sk160672

- Open with TAC still no luck

When I tried to use internal interface IP for create a site to connect, it success one time only: success => disconnect => connected again -> stuck at 47% -> failed => delete site => create new again => connect success => ... loop

Note: Problem happen only connect from internal network and our policy needed to RA VPN from internal to access some server.

Does anyone facing this problem before, please help me.

Thank you so much and have a great day!

Best regards,

Kha

Re: Stuck at 47% when RA VPN from internal network

AkosBakos — Fri, 27 Sep 2024 15:59:39 GMT

Hi @Mk_83

Did you dump the connection process on the RA gateway?

What is under IPsec VPN ->Link Selection?

I suppose that, when you create a VPNsite with internal address ->the connection succeded for the first time -> at this time the client downloads the topology -> because of the newly downloaded topology setting, the second try will be fail.

This is my first first guess 🙂

Akos

Re: Stuck at 47% when RA VPN from internal network

the_rock — Fri, 27 Sep 2024 13:05:25 GMT

Does it make any difference if you try delete/recreate the site?

Andy

Re: Stuck at 47% when RA VPN from internal network

Mk_83 — Mon, 30 Sep 2024 13:18:46 GMT

Hello Akos,

I really appreciate your help.

Can you guide me how to dump the connection process on the RA gateway?

Under IPsec VPN ->Link Selection -> Always use this IP Address -> Statically NATed IP: IP NATed by ISP-Peplink (x.x.x.x).

I saw in the first time connect the log showing source from exactly IP of my device, but the second time the source is IP that connect with Checkpoint interface of Peplink (exam: checkpoint 172.16.9.8 ; peplink: 172.16.9.9). The second time try connect using internal IP, and connect using NAT IP always showing the source is 172.16.9.9. I still don't know why it redirect to that.

Do you have any ideals for this?

Thanks & Best Regard,

Kha

Re: Stuck at 47% when RA VPN from internal network

Mk_83 — Mon, 30 Sep 2024 13:26:15 GMT

Hello the_rock,

I check and see it's not have any difference when I'm tried delete/recreate the site, the difference here when I try to connect the second time.

But that delete/recreate only happen when we using internal IP, if using NAT IP its couldn't connect even from the first time. And it also doesn't make sense for us to force users to manually change their connection IP (or delete/recreate) when they work from home and at office.

We still want to use NAT IP to connect successfully from outside and inside the internal network.

Have you ever tried this problem before? Or if you have any ideals, please help us.

Thanks & Best Regards,

Kha

Re: Stuck at 47% when RA VPN from internal network

the_rock — Mon, 30 Sep 2024 13:31:36 GMT

Wait a second...why do you have a need to do this INTERNALLY??

Andy

Re: Stuck at 47% when RA VPN from internal network

Mk_83 — Mon, 30 Sep 2024 13:41:09 GMT

Hello the_rock,

I know this is quite strange.
But because my company's policy has been like that since before, our environment is a school, each wifi zone will only be able to connect to its own partition, so when teachers or staff go to another wifi zone to teach/work, they sometimes need remote access from the inside because some places do not allow direct access to their resources.

It can be said that our network system planning is not good, but I remember that in my previous workplaces using Checkpoint, I could still VPN from the inside, so I am thinking that this is not a limitation of Checkpoint but this is a error somewhere.

Thanks & Best regards,

Kha

Re: Stuck at 47% when RA VPN from internal network

the_rock — Mon, 30 Sep 2024 13:50:08 GMT

Hey Kha,

No, thats totally FAIR, I understand now. Sorry, was not trying to be "intrusive" about it, just wanted to make sure logic is there.

Anyway, may have to do with below setting in global properties...can you see how its configured? I know clients I helped with this in the past would have their INTERNAL network listed in the group I pointed out to.

Andy

Re: Stuck at 47% when RA VPN from internal network

PhoneBoy — Mon, 30 Sep 2024 14:47:55 GMT

This might be what you need to here: https://support.checkpoint.com/results/sk/sk103440

You would need a single FDQN in your DNS that:

Resolves externally to the NAT IP
Resolves internally to the real IP