https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175242#M8517 <P>Run command -&gt; ip r g 20.20.20.100 and see path its taking. Confirm first it is correct and if so, we can run fw monitor to verify.</P> Fri, 17 Mar 2023 18:32:24 GMT the_rock 2023-03-17T18:32:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175241#M8516 <P>Hi there,</P><P>I'm trying in my LAB to create a VPN from a CheckPoint Gateway and several 1570R managed by SmartProvisiong.</P><P>Every SMB is connected to a SmartProvisiong of a CMA in my MDS and use a cellular interface to reach my network.</P><P>The CheckPoint Gateway is managed by the same CMA.</P><P>&nbsp;</P><P>I followed SmartProvisioning Adming Guide, but I see only some tunnel_test packet and no other traffic.</P><P>I don't have any route to EncryptionDomain in CheckPoint Gateway even if I try to use permanent tunnel.</P><P>&nbsp;</P><P>The EncryptionDomain of the Gateway is configured with a group containing a subnet.</P><P>The EncryptionDomain on SmartLSM Gateway is configured Manual (on Topology page) witha range of IP that are used as NAT.</P><P>&nbsp;</P><P>Traffic coming to Gateway from it's EncryptionDomain is dropped as:</P><P># fw ctl zdebug + drop | grep 20.20.20.100<BR />@;389050;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 20.20.20.100:1 -&gt; 10.10.10.9:0 dropped by fw_log_ip_routing_failure Reason: IP routing failed (ipout routing failure);</P><P>Can some one help me?</P><P><BR />Regards</P><P>M</P> Fri, 17 Mar 2023 18:13:36 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175241#M8516 Marco32 2023-03-17T18:13:36Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175242#M8517 <P>Run command -&gt; ip r g 20.20.20.100 and see path its taking. Confirm first it is correct and if so, we can run fw monitor to verify.</P> Fri, 17 Mar 2023 18:32:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175242#M8517 the_rock 2023-03-17T18:32:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175243#M8518 <P>#ip r g 20.20.20.10<BR />20.20.20.100 via 10.176.2.200 dev eth1 src 10.176.2.90cache</P><P>&nbsp;</P><P>#ip r g 10.10.10.9</P><P>RTNETLINK answers: Network is unreachable</P><P>&nbsp;</P><P>20.20.20.100 is on Gateway side , 10.10.10.9 is on SMB</P><P>Traffic need to start from 20.20.20.100 to 10.10.10.9</P> Fri, 17 Mar 2023 18:35:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175243#M8518 Marco32 2023-03-17T18:35:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175245#M8519 <P>Can you draw simple diagram showing how this is configured and whats supposed to access what on the other side? Even basic paint diagram would help : - )</P> <P>Cheers.</P> <P>Andy</P> Fri, 17 Mar 2023 18:41:13 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175245#M8519 the_rock 2023-03-17T18:41:13Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175247#M8520 <P>We need to find out WHY that IP shows unreachable, thats the key here.</P> Fri, 17 Mar 2023 18:50:10 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175247#M8520 the_rock 2023-03-17T18:50:10Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175375#M8537 <P>Hi the_rock,</P><P>main issue seems that no route are present on Gateway and on SMB. I see tunnel_test from SMB to Gateway but VPN is marked as down.</P> Mon, 20 Mar 2023 10:18:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-and-SmartLSM-doesn-t-works/m-p/175375#M8537 Marco32 2023-03-20T10:18:59Z