https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214897#M10672 <P>First, uncheck "Show inactive routes" so we can see only the active routes. &nbsp;If you have inactive routes, then you have a routing protocol administrative-distance (metric) problem. &nbsp;Connected routes override static routes, which override all other routes (unless you have changed the protocol ranking manually).</P> <P>&nbsp;</P> Tue, 21 May 2024 14:14:30 GMT Duane_Toler 2024-05-21T14:14:30Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214893#M10671 <P><SPAN>I have the topology in the picture, and the L2TP 192.168.18.100 route is not working, and I can't open the web page. Additionally, the route to IP 10.0.219.246 is not working. I have the PCs in my office that go through the firewall via a Mikrotik port. Strangely, the SAS page on VLAN 249 with IP 10.0.200.249 opens. The other page on VLAN 219, 10.0.219.246:9082, does not open. Both are on the same logic and pass through the same router; only the VLAN changes. Could it be blocked at the port? Is an allow policy needed? The general firewall policy is to allow communication between internal interfaces. I haven't made it strict because I know it blocks everything. The 192.168.18.100:8080 that is blocked seems like the same problem. Maybe the ports need to be allowed? My PC, which goes through the Mikrotik, opens the web page with VPN. However, the PC that goes through the firewall doesn't open it. I suspect the ports are being blocked.</SPAN></P> Tue, 21 May 2024 13:34:34 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214893#M10671 lcako 2024-05-21T13:34:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214897#M10672 <P>First, uncheck "Show inactive routes" so we can see only the active routes. &nbsp;If you have inactive routes, then you have a routing protocol administrative-distance (metric) problem. &nbsp;Connected routes override static routes, which override all other routes (unless you have changed the protocol ranking manually).</P> <P>&nbsp;</P> Tue, 21 May 2024 14:14:30 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214897#M10672 Duane_Toler 2024-05-21T14:14:30Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214898#M10673 <P>i put microtik instead of firewall, and it worked with the same routing method. when i put sg1575 firewall it doesnt work. I did your solution and i dont have inactive routes and the problem is still the same</P> Tue, 21 May 2024 14:22:04 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214898#M10673 lcako 2024-05-21T14:22:04Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214899#M10674 <P>Have you checked the gateway firewall logs? &nbsp;You may have an anti-spoofing problem on some interface. &nbsp; I also see your default route is via a DMZ VLAN interface; this is unusual. &nbsp;This interface would need to be an External (Internet) topology for anti-spoofing.</P> <P>&nbsp;</P> Tue, 21 May 2024 14:32:46 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214899#M10674 Duane_Toler 2024-05-21T14:32:46Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214901#M10675 <P>what is strange too is that ip from route in line 9 cam be pinged. also line 8 can be pinged. line 10 , 7 and 6 cannot be pinged.&nbsp;</P> Tue, 21 May 2024 14:38:26 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214901#M10675 lcako 2024-05-21T14:38:26Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214902#M10676 <P>Which version/build firmware is this Spark device installed with?</P> Tue, 21 May 2024 15:17:32 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214902#M10676 Chris_Atkinson 2024-05-21T15:17:32Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214904#M10681 <P>After you check the logs and anti-spoofing, check the interior router and make sure it has valid return routes via the SMB 1575 gateway. &nbsp;How is your L2TP client connecting to the network; is it connecting via the SG1575 external interface, or something else? &nbsp;Check the active routes on the L2TP client to see if the routes are being installed correctly. &nbsp;You can try traceroute, but this may be ambiguous for an L2TP client, so don't fall into a trap of troubleshooting the wrong problem if traceroute fails. &nbsp;However, if it works, then that is excellent.</P> <P>&nbsp;</P> <P>If line 9 can be pinged, but others cannot, check the internal router to make sure it has interfaces in "Up" state for those VLANs. &nbsp;Check the hosts on those VLANs to make sure they can send return traffic via the internal router for your L2TP client (either default route, or something else).</P> <P>&nbsp;</P> Tue, 21 May 2024 14:42:05 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214904#M10681 Duane_Toler 2024-05-21T14:42:05Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214960#M10684 <P>i reconfigured them again and i tried to&nbsp;removed static routes , config OSPF&nbsp;from firewall device/system/tools and i ping all of these ip from LAN 241 i cannot open them. from vlan of pc 241 in firewall i cannot open these ip , mostly web but from firewall i can ping them.</P><P> </P> Wed, 22 May 2024 07:00:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214960#M10684 lcako 2024-05-22T07:00:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214961#M10685 <P>i reconfigured them again and i tried to&nbsp;removed static routes , config OSPF&nbsp;from firewall device/system/tools and i ping all of these ip from LAN 241 i cannot open them. from vlan of pc 241 in firewall i cannot open these ip , mostly web but from firewall i can ping them</P> Wed, 22 May 2024 07:00:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214961#M10685 lcako 2024-05-22T07:00:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214972#M10686 <P>If a path using L2TP is in the mix have you configured MSS clamping (<SPAN><A href="https://support.checkpoint.com/results/sk/sk121114" target="_self">sk121114</A>) at all</SPAN>?</P> <P>Again, are you running <A href="https://support.checkpoint.com/results/sk/sk181080" target="_self">R81.10.10</A> firmware (build <SPAN>996002906</SPAN>) or something else?</P> <P><A href="https://community.checkpoint.com/t5/SMB-Gateways-Spark/Anti-Spoofing-detection/m-p/207137#M10380" target="_blank" rel="noopener">Solved: Anti-Spoofing detection - Check Point CheckMates</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 May 2024 09:57:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214972#M10686 Chris_Atkinson 2024-05-22T09:57:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214976#M10687 <P>i did ospf routing and i found the solution&nbsp;</P> Wed, 22 May 2024 10:10:43 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214976#M10687 lcako 2024-05-22T10:10:43Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214987#M10688 <P>Ok great - what was the solution so others can understand the problem/cause better?</P> Wed, 22 May 2024 12:04:33 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/214987#M10688 Chris_Atkinson 2024-05-22T12:04:33Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/225794#M11361 <P>hello&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/101665">@lcako</a>, could you please share the solution, it will help us.</P> Thu, 05 Sep 2024 15:04:26 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Routing-Problem/m-p/225794#M11361 kristait 2024-09-05T15:04:26Z