This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MattElkington
Contributor
‎2020-10-07 10:32 AM

R80.40, SecureXL, VTI and Dynamic Routing

Has anyone run into issues using dynamic routing and VTIs post R80.10?

 

Last weekend I upgraded a customer firewall which was specifically used to terminate route based VPNs on.

 

6 VTIs configured, 4 numbered (2 for AWS, 2 for Azure), 2 unnumbered (other stuff).

Post R80.40 upgrade the unnumbered tuinnels came up fine, but both the AWS and Azure ones did not.  I could see outbound tunnels established, but nothing inbound, all of these tunnels are additionally using BGP.

Disabled SecureXL acceleration with "fwaccel off" and they leapt into life, again, enabling SecureXL and then disabling vpn acceleration with "vpn accel off" also allowed traffic to flow.

Now there may be some other issues going on, in that further examination showed that some of the BGP config was mismatched on the cluster, but I don't think it was this, as when I rolled the R80.40 member back to R80.10 it all worked again.

I have arranged a new window next weekend to re-attempt, but has anyone else run across anything like this?  It feels a weird coincidence that the VTI tunnels using dynamic routing don't work with acceleration, but the others do.

 

I'm also getting the feeling that ISP redundancy may be a bit iffy under R80.40 as well, as again I have another customer where it doesn't work correctly with acceleration turned on.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-10-07 08:07 PM

If disabling SecureXL solves a problem, the TAC should be involved.

0 Kudos
MattElkington
Contributor
‎2020-10-08 08:18 AM
In response to PhoneBoy

I have a case open with TAC, but wanted to see if anyone had seen anything similar.

I just find it strange that only the VTIs using BGP required acceleration to be disabled, but the ones without didn't.

0 Kudos
Tobias_Absmann
Explorer
‎2021-02-23 01:45 PM

Hi Matt,

I don't know if this is still relevant for you but we are experiencing similar problems:
1 Numbered VTI with Policy-based-routing:

With secureXL disabled everything works fine. With SecureXL enabled no traffic goes via the tunnel.
Our workaround right now is to disable SecureXL as it's only a very small office and the firewall can handle it easily without SecureXL, but as SecureXL can no longer be disabled persistently it's a problem after reboots (Power outages are common there)

Where you able to fix your problem?

Best regards,
Tobias

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events