This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Mentor
Mentor
‎2018-07-19 05:18 AM

MSS/MTU over IPSec - issues with Office365 (on-premise)

hi chaps

got quite interesting topic and just so you know I couldn't find much of the relevance by folloing sk: sk98074

my customer has Office365 (office.us) on premise infrastructure in US which can be easily accessed via MPLS and directly connected hub-and-spoke networks - but this is it. Clients (PC/Laptops) which are connected via IPSec Tunnels behind little 3200 devices, terminated on A/S Cluster of 56xx (no LSM!) located where all Satelites Remote GWs forms Star Topology are UNABLE to connect to Office365 faclity (not Azure!).

I'm in a position to say that intermittent circumstances where some of the "wired" clients are unable to use Office365 happens only on those computers which are behind VPN Star topology networks so literally behind 3200 R80.10 gateways (Centrally managed by MDS Management HA).

any ideas how to troubleshoot and resolve such inconvinience would be highly appreciated.

I solely believe I'm not the only one having such issues with Office365 and MSS/MTU issues (1500 vs 14xx values).

Bear in mind that I do know very well that this was already addressed when designing R80.10 and it affected mainly those behind R77.30 platforms.

Thanks in advance

Jerry

ps. YES, I'm very much aware of this post as well:

https://community.checkpoint.com/message/10659-r8010-gateway-cant-set-simclampvpnmss

Jerry
Labels
0 Kudos
3 Replies
Marco_Valenti
Advisor
‎2018-07-19 07:22 AM

we had same issue , and the only workaround that we were able to implement is to lower mtu on some client at the moment.

Since the satellite reach internet through the central gateway at the moment seems the only available workaround.

0 Kudos
Jerry
Mentor
Mentor
‎2018-07-19 07:31 AM
In response to Marco_Valenti

excellent - yes and no Smiley Happy

1st of all - lowering MTU on 3000 PCs seems not only unreasonable but mainly against my Customer's desire

2nd - making the workaround seem to have massive impact on Customer perception of Check Point products in general Smiley Happy 

3rd - I do not believe this is the only option to be frank therefore I wish you've experienced that scenario yourself and didn't look up over the net for solutions?

Please don't get me wrong but I do not believe that the ONLY solution is to lower MTU values on 3000 PCs NICs (especially in corporate environment) - I do understand that this can be done even by GPO but I don't think Customer will be happy with that approach).

Do you guys thing that the main reason of such problems aligns with so called "WebWashers" equals "proxies" ?

I'm nearly confident that the component on my Customer's network responsible for such "poor" handling of Office365 is more or less McAfee product  

Neverthanless thanks Marco, I do appreciate your response and effort but I will be looking for multitude of options in order to present some alternative ways to my Customer giving them a time to swallow its consequences for the business and impact on productivity.

Cheers

Jerry
0 Kudos
Marco_Valenti
Advisor
‎2018-07-19 08:15 AM
In response to Jerry

As I said is a work around and not a solution to that issue that is still under investigation for us.

I understand that every environment is different so what is working for me is unacceptable for other don't get me wrong but that was just an hint for participating into the  discussion for that problem.

Regards

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events