topic Ping Request time out under vpn to azure issue in Spark Firewall (SMB) https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-Request-time-out-under-vpn-to-azure-issue/m-p/189853#M9360 <P>Dear Team,</P><P>I am facing intermittent 'Ping Request Timeout' issues within an IPsec VPN connection with Azure. The tunnel is connected. Currently, we are monitoring the VPN tunnel using ICMP ping from our on-premise Zabbix server to Azure VMs.</P><P>Initially, I attempted the following method: I set the Encryption setting to 'Default Encryption (Most Compatible)' on the Checkpoint Appliance 1880 SMB (on-premise), and on the Azure side, I also used the 'Default (IPsec/IKE) policy'. This resulted in a successful 'Tunnel is connected' status.</P><P>The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.</P><P>Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.</P><P>Initially, I observed that I could access Azure resources using ping, RDP, and SSH from the on-premise network. However, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.</P><P>As a next step, I decided to change the Default Encryption setting to a custom encryption value for both Phase 1 and Phase 2. I configured Phase 1 with AES-256, SHA-256, and DH2, and Phase 2 with AES-256, SHA-256, and PFS2 on both the Checkpoint appliance and the Azure side. This resulted in a successful 'Tunnel is connected' status.</P><P>The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.</P><P>Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.</P><P>However, the problem persisted. Initially, I could access Azure resources using ping, RDP, and SSH from the on-premise network. Nevertheless, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.</P><P>Please kindly see the attached information</P><P>Thanks to all.</P> Fri, 18 Aug 2023 06:52:35 GMT pyiephyohtay 2023-08-18T06:52:35Z Ping Request time out under vpn to azure issue https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-Request-time-out-under-vpn-to-azure-issue/m-p/189853#M9360 <P>Dear Team,</P><P>I am facing intermittent 'Ping Request Timeout' issues within an IPsec VPN connection with Azure. The tunnel is connected. Currently, we are monitoring the VPN tunnel using ICMP ping from our on-premise Zabbix server to Azure VMs.</P><P>Initially, I attempted the following method: I set the Encryption setting to 'Default Encryption (Most Compatible)' on the Checkpoint Appliance 1880 SMB (on-premise), and on the Azure side, I also used the 'Default (IPsec/IKE) policy'. This resulted in a successful 'Tunnel is connected' status.</P><P>The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.</P><P>Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.</P><P>Initially, I observed that I could access Azure resources using ping, RDP, and SSH from the on-premise network. However, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.</P><P>As a next step, I decided to change the Default Encryption setting to a custom encryption value for both Phase 1 and Phase 2. I configured Phase 1 with AES-256, SHA-256, and DH2, and Phase 2 with AES-256, SHA-256, and PFS2 on both the Checkpoint appliance and the Azure side. This resulted in a successful 'Tunnel is connected' status.</P><P>The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.</P><P>Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.</P><P>However, the problem persisted. Initially, I could access Azure resources using ping, RDP, and SSH from the on-premise network. Nevertheless, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.</P><P>Please kindly see the attached information</P><P>Thanks to all.</P> Fri, 18 Aug 2023 06:52:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-Request-time-out-under-vpn-to-azure-issue/m-p/189853#M9360 pyiephyohtay 2023-08-18T06:52:35Z Re: Ping Request time out under vpn to azure issue https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-Request-time-out-under-vpn-to-azure-issue/m-p/189855#M9361 <P>Does taking tunnel down and up again resolve it for a while? Where on the way do the ICMP packets get dropped ? Consult logs and sniffer.</P> Fri, 18 Aug 2023 08:17:15 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Ping-Request-time-out-under-vpn-to-azure-issue/m-p/189855#M9361 G_W_Albrecht 2023-08-18T08:17:15Z