cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

VPN client of a service provider is blocked by the IPS Blade

Jump to solution
Hello everybody,
we implemented a VPN client for a VPN connection to a service provider on a client in our network. It is the SonicWall VPN Client. The client establishes an IPSec connection to the service provider.
Now the following problem: If you want to establish a connection, the request from the IPS Blade of our Checkpoint rejected with the notice "IP Fragments". If you want to add an exception for this case, this will be rejected by the checkpoint. No exception for this protection possible.
Does anyone have any idea why this might be ?
Thanks Alex
1 Solution

Accepted Solutions
Admin
Admin

Re: VPN client of a service provider is blocked by the IPS Blade

Jump to solution

IP Fragments is not really an IPS protection, it's a basic protocol validation that we've had well before we had IPS (including SmartDefense).

It does not support exceptions as a result. 

In R80.x management, it is listed under Inspection Settings.

You can tune the handling of fragments, however:

Your best bet is to somehow disable fragmentation on the Sonicwall client.

Not sure if they provide a way to do that.

5 Replies
Admin
Admin

Re: VPN client of a service provider is blocked by the IPS Blade

Jump to solution

IP Fragments is not really an IPS protection, it's a basic protocol validation that we've had well before we had IPS (including SmartDefense).

It does not support exceptions as a result. 

In R80.x management, it is listed under Inspection Settings.

You can tune the handling of fragments, however:

Your best bet is to somehow disable fragmentation on the Sonicwall client.

Not sure if they provide a way to do that.

Highlighted

Re: VPN client of a service provider is blocked by the IPS Blade

Jump to solution

The whole issue with VPN client is that they create overhead so any valid maximum sized packets needs to be fragmented to fit inside the VPN encapsulation.

so this is a tricky thing.

0 Kudos

Re: VPN client of a service provider is blocked by the IPS Blade

Jump to solution

Thank you for the Answer.

You can disable fragmentation in the vpn client. After that, IPS did not block traffic anymore.

Best Regards

Alex

Re: VPN client of a service provider is blocked by the IPS Blade

Jump to solution

I have a SMB Box that model number is L-50WD,

when i turn it on it not show anything .through console it show some encrypted codes and I can't do anything.

please suggest me what should i do..

0 Kudos
Admin
Admin

Re: VPN client of a service provider is blocked by the IPS Blade

Jump to solution

This is a completely unrelated to the original question.

Please post what you're seeing on the console in the SMB and SMP‌ space in a new thread.

0 Kudos