HI Vladimir ,

please find the topology..

The Arrows segregating both network (2 different networks) .There is no internet connection,2 separate lease lines With Different brand FW VPN client able to connect , same implementation done with Checkpoint firewall instead of WAN int in fig 1 ,using LAN 5 as show in fig 5.

All required rules allowed(selected strict option) ,able to ping until ISP interfaces  ,icmp not allowed dst ip ,while try to establish VPN connection can see out going traffic for ex: PC A to dst ip 172.20.106.234 as per logs which in shared to before .

same issue for both networks

Not able to find where the incoming traffic dropping ...SSL VPN client not connecting  its showing not responded .

Firewall is Checkpoint 750 small business firewall ,R77.20.

kindly share if got any idea ....

"Strict" policy explicitly prohibits all internal networks from talking to each other, so we'll have to dig a bit to figure out what is going on.

the IP you are showing is the RFC1918 address, so you are not going over connections to ISPs, but private lines that should be connected to other internal interfaces.

To verify, please include screenshots of:

Your routing settings:

Your configuration for ISP redundancy and NAT for the gateway, i.e.:

SSL Inspection Policy and Inspections:

And Firewall NAT policy settings (same screenshot as depicted here) and NAT Rules (3):

If the settings in the above section (2) are set to "On", turn it off, apply settings and try again.

Change Access Control Policy from "Strict" to "Standard" and attempt to establish SSL VPN.

For troubleshooting, use "fw monitor" command (please lookup sk describing its usage). The iIoO depicting traversal of the firewall's interfaces.

[Expert@drawbridge]# fw monitor -e "src=172.20.106.234 or dst=72.30.35.10 ,accept;"
fw: getting filter (from command line)
fw: compiling
monitorfilter:
Compiled OK.
fw: loading
fw: monitoring (control-C to stop)
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=1 seq=3195
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13357
ICMP: type=8 code=0 echo request id=12540 seq=3195
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=1 seq=3196
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13358
ICMP: type=8 code=0 echo request id=12540 seq=3196
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=1 seq=3197
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13359
ICMP: type=8 code=0 echo request id=12540 seq=3197
[vs_0][fw_0] LAN1:i[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] LAN1:I[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] WAN:o[60]: 192.168.7.148 -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=1 seq=3198
[vs_0][fw_0] WAN:O[60]: aaa.aaa.aaa.aaa -> 72.30.35.10 (ICMP) len=60 id=13360
ICMP: type=8 code=0 echo request id=12540 seq=3198

If changing the policy from "Strict" to "Standard" worked, look closer at the rules you've created while using "Strict" policy.

• In this scenario there is no ISP redundancy , here PC A,PC B should communicate respective dst as show in figure with arrows. ( as mention 1 and 2 in fig),here 1 and 2 are separated  network .
• that's why implemented with LAN 5 ( separated from LAN Switch ),DMZ instead using WAN int ( for example 1 as shown fig ) .
• also tried with standard policy and with INT WAN (instead of LAN 5 ) for Network 1 able to ping to ISP 1 interface directly connected INTERFACE.Can not initiate VPN .
• Until Firewall interface only under my control from LAN PC's .
• Routing are directly connected ,
• NAT is turned off as you mentioned .
• The option which you mentioned SSL VPN inspection need to check with HTTPS categorization mode on my side weather how its working
• With same setup will check with Standard Policy .

Thanks for your valuable replies ..

I do not think 750 appliance are capable of running R80.10.

My money is on simple configuration error.

Nah, those 700 SMB GW’a are running on Gaia embedded R77.20.x and not (yet) on R80.

I just saw you were using tcpdump with parametre -Penni and it also generated an error. This Tim Hall found as a bug. I dont know if this could be the issue. 

I would have removed the parametre to first see if traffic flows as expected.

I think Vladimir Yakovlev got a point about a misconfiguration.

Thanks

Kim