Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

CheckPoint Cluster - VPN starts working after 1 hour

Hey guys! I have the following issue.

Remote Access VPN with Check Point Mobile connects just fine and even pings are sucessfull to internal network but nothing else. SSH is not working to any internal network device as well as http/https or any other protocol. 

It started to happen after I had configured a new subinterface with public IP (we changed one of our ISP). Initially I noticed "TCP out of state" messages in logs when traffic went from internal network --> VPN client. I disabled the option to drop TCP out of state packets and now logs are showing that everything is ok (only that address spoofing is detected but it is configured to not drop that kind of traffic). But situations stays the same. Firewall rules are ok and no other change was made.

Now the interesting thing. If I install a policy even when no change is made - it starts working. It also starts working after exactly 1 hour VPN client was connected without any additional move.

I assume there might be an issue with TCP connections table and maybe TCP session timeout (set to 3600 sec) somehow involved but have no idea how to solve that.

Resume :

Pings are working through VPN but nothing else. Everything starts working after empty policy installation or after 1 hour after VPN client was connected. 

We run 4400 in cluster (Active/Standby) and the software is 77.30. Appreciate for any advice!

4 Replies
Highlighted
Contributor

Hello.

 

Firstly, make sure you start looking at upgrading from R77.30. You are starting to fall behind with R81 due to be released soon.

 

When you added the sub interface, did you do a 'get topology' within the cluster object settings? This will make sure the cluster, and the policy is aware of the sub interface and its routes.

 

Are you seeing any drops logs for the SSH traffic for example? If so, can you share?

 

You shouldnt generally be turning off TCP out of state - turning it off is very much a work around to a problem that needs fixing.

 

TCP OoS can be a few reason, but most typically asymetrical routing - which could be relating to topology settings not being pulled down after adding the sub interface.

Highlighted
Explorer

Yes, I did "get topology". I have even deleted the old subinterface and did "get topology" again, just in case. No any drop logs for SSH or HTTPS. I just wondering how it was working before and why it is broken now? The only thing that has changed is the new subinterface was added and thats it. And despite of the thing that asymetrical routing might be in place - it starts working as expected after 1 hour or after click on "policy install" in Smart Dashboard, how and why?

Highlighted
Contributor

I would strongly look at your options and upgrade to a supported version I.e R80.10.

Is your encryption domain set correctly?

Do you have any NAT going on? Do you have a no NAT in place for your remote access subnet?

Little things like this remind me of issues in R77.30 - and as you will know, TAC will not support you as you are out of support.

Highlighted
Admin
Admin

There is zero reason to upgrade to R80.10 at this point as it will be End of Support in mid-2021.
You should definitely be off R77.30 at this point as it has been End of Support for over a year now.