topic Re: SMB and Reboot in Spark Firewall (SMB)

SMB and Reboot

Moudar — Thu, 27 Jun 2024 13:21:58 GMT

Hi there,

I'm experiencing an issue with my SMB device. After a reboot, it takes approximately 30 minutes for the VPN tunnel to become operational again.

Is there a specific setting or timer that could be adjusted to expedite the VPN tunnel re-establishment process? Or, is this a known limitation ?

Re: SMB and Reboot

Chris_Atkinson — Thu, 27 Jun 2024 13:35:35 GMT

Specific settings mismatches as side a DAIP gateway VPN scenario will often be slower but 30-minutes seems excessive.

sk167473 explains the reasons in part, only one side can initiate the VPN and there is a need for DPD.

What version/build is the gateway appliance?

Re: SMB and Reboot

Moudar — Thu, 27 Jun 2024 13:59:22 GMT

show software-version
This is Check Point's 1590 Appliance R81.10.07 - Build 397

Re: SMB and Reboot

Chris_Atkinson — Thu, 27 Jun 2024 15:36:52 GMT

For awareness per sk179615...

R81.10.08 is the current recommended release and R81.10.10 is the latest.

Something else to consider if the issue persists after investigating the DAIP / DPD elements perhaps.

Re: SMB and Reboot

Moudar — Thu, 27 Jun 2024 14:32:56 GMT

this how my routing table looks like, when everything is ok.

netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default ua-113-113-192- 0.0.0.0 UG 0 0 0 WAN 10.0.0.0 192.168.4.10 255.0.0.0 UG 0 0 0 vpnt10 192.168.3.0 * 255.255.255.0 U 0 0 0 LAN1 192.168.4.10 * 255.255.255.255 UH 0 0 0 vpnt10 113.113.192.0 * 255.255.224.0 U 0 0 0 WAN

When the gateway reboots the routing table looks like this for about 30 min:

netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 113.113.192.1 0.0.0.0 UG 0 0 0 WAN 10.0.0.0 192.168.4.10 255.0.0.0 UG 0 0 0 vpnt10 192.168.3.0 * 255.255.255.0 U 0 0 0 LAN1 192.168.4.10 * 255.255.255.255 UH 0 0 0 vpnt10 113.113.192.0 * 255.255.224.0 U 0 0 0 WAN

after about 30 mins it changes and works again

any ideas?

what is the difference between 113.113.192.1 and ua-113-113-192- ?

Re: SMB and Reboot

PhoneBoy — Thu, 27 Jun 2024 16:59:08 GMT

Try netstat -rn when everything's ok.
I'm guessing it'll be the same in both cases.

That suggests DNS is related to this issue.
You should check if DNS is working when the issue is occurring.

Re: SMB and Reboot

Moudar — Thu, 27 Jun 2024 18:30:22 GMT

So, when using netstat -rn the result is the same as netstat -r when things are not working:

What DNS talking we about here? Is it my ISP DNS?

I could not resolve "ua-113-113-192-":

nslookup ua-113-113-192- 8.8.8.8 Server: dns.google Address: 8.8.8.8 *** dns.google can't find ua-113-113-192-: Non-existent domain

on SMB, DNS is configured like this:

show dns mode: global proxy: on resolving: on primary ipv4-address: 10.8.0.12 secondary ipv4-address: 8.8.8.8 tertiary ipv4-address:

Where 10.8.0.12 is the our internal DNS server behind the central gateway

So,When the issue occurs, no pings can reach any destination:

ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ^C --- 8.8.8.8 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss Gateway-ID-7FB7C2DC> ping google.com ping: bad address 'google.com'

Re: SMB and Reboot

Lesley — Thu, 27 Jun 2024 20:20:34 GMT

Looks like after reboot internet is not working. Is this correct understanding?

Then we do not need to troubleshoot VPN issues but ISP issues maybe?

DNS is internal IP i see so that would go via tunnel that is down? That leaves you with 8.8.8.8 that also is not working.

Can you confirm if internet is working after reboot?

Re: SMB and Reboot

Moudar — Thu, 27 Jun 2024 21:29:47 GMT

After reboot nothing works!

ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ^C --- 8.8.8.8 ping statistics --- 10 packets transmitted, 0 packets received, 100% packet loss

Internet is not working directly after reboot, but it works after about 25-30 minutes when everything else start to work

so netstat -r looks like this directly after reboot:

netstat -r looks like this after 25-30 minutes when everything start to work:

Re: SMB and Reboot

JP_Rex — Fri, 28 Jun 2024 07:38:36 GMT

Hello,

I have seen this behavior before.

Do not use a DNS behind a VPN you have to create yourself. It does not work (chicken / egg) consistently. and especially if you need DNS to create the Tunnel it gets weird.

On the GW just use internet DNS servers (from your ISP, Google,...) behind the GW you can publish the internal DNS via DHCP.

Best Regards
Peter

Re: SMB and Reboot

Chris_Atkinson — Fri, 28 Jun 2024 14:29:12 GMT

Good tip, indeed these DNS servers should have specific routes for them outside the VPN.

Re: SMB and Reboot

Moudar — Sun, 30 Jun 2024 17:01:34 GMT

I did as you said, the time it takes to move from 113.113.192.1 to ua-113-113-192- is now about 20 minutes!

Is that normal? Or should I do something more?

show dns mode: global proxy: on resolving: on primary ipv4-address: 8.8.8.8 secondary ipv4-address: 8.8.8.8 tertiary ipv4-address:

What about (mode) global or internet, does that have any thing to do with this problem?

Re: SMB and Reboot

Lesley — Mon, 01 Jul 2024 21:35:32 GMT

The fact you cannot ping 8.8.8.8 or any other IP's after reboot tells me there is an internet access issue. The DNS and VPN not working is just an outcome of not working internet.

You should focus on this to be honest. Is it cluster? Maybe make packet capture on WAN interface to see what is going on.

If internet not working try to atleast ping DG to see if that is working:

113.113.192.1