This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tran_Van_Thang
Explorer
‎2019-05-28 10:58 AM

Can't ping to a host behind center gateway of VPN Site to Site from satellite gateway

Hi all,

I have a problem when setup VPN site to site.

Site A (HQ) connects to other branches (I name them site B from here) via WAN link. 

Normally, internet traffic will go out on each gateway at each site and intranet traffic will route through WAN. 

Then I setup a star VPN site-to-site with site A (center gateway) and other sites  B (satellite) and this is a backup link when WAN link is down.

I have made all test connection between hosts behind these gateways when WAN down, and all passed.

But then I found that, all satellite gateway B can't ping to any hosts behind the center gateway

When I traceroute, the traffic flows through VPN link not WAN link as before setup VPN site-to-site.I think this is  because the VPN domain has higher priority.

Now all satellite gateway B can't access to AD so that Identity Awareness set up before have failed. 

I have tried removing the AD subnet from VPN domain in center gateway but no hope, and the traffic also flows through the VPN site to site link, not back to WAN link (the internal interface of center gateway is on the same subnet of AD).

 

Please advise me on this issue.

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-06-03 10:10 AM

Is this a domain-based VPN or a route-based VPN?
In general, domain VPN routes have higher priority.
Possible you may need to use a route-based VPN configuration for this.
0 Kudos
Vladimir
Champion
Champion
‎2019-06-03 10:29 AM

Please provide the actual topology diagram.

Depending on how the WAN is configured, what the default gateways of the hosts at each site are and if you are using dynamic routing, the behavior may differ significantly.

 

I am particularly interested in seeing any and all routing devices that may be traversed by the local and WAN traffic.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-03 11:16 AM
In response to Vladimir

There are 2 options to make this work properly:
Setup route based VPN's with dynamic routing and use proper priorities for the different links
Have the MPLS provider setup VPN's through your FW's to the other sites using DM-VPN (Cisco's mesh topology) if they are willing.

The latter does require a free IP to be able to be used for NAT to/from those routers.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events