This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruan_Kotze
Advisor
‎2025-07-19 12:46 AM

RA clients not able to access external cluster interface

Good Day All,

We have a challenge whereby re-authentication fails for our RA VPN clients.

Background:

Our VPN gateways (R81.20 T99 / SMS T105) are NAT'd behind perimeter gateways, so the VPN gateway "public" IP's are actually RFC1918 IP's (10.x.x.x). Furthermore, when connecting to the "internal" LAN you'll need to connect via VPN to access any resources, so external clients resolve vpn.domain.com to a public IP, and internal clients will resolve vpn.domain.com to an internal IP (external cluster interface on VPN gateways).

Both internal and external clients can log into the VPN just fine - as per the SAML login process clients get redirected to https://vpn.domain.com/saml-vpn on either the NAT'd public IP of the perimeter gateways or the internal IP of the VPN gateway, depending on whether the RA client is inside or out.

Clients completes authentication and life is good.

The problem

The problem comes when their authentication expires (ours is set to 8h). The VPN client will attempt to re-auth by hitting https://vpn.domain.com/saml-vpn which now resolves to the internal (10.x.x.x) cluster IP. This is where we run into issues.

Even though our encryption domain includes the entire subnet in which the VPN cluster's physical and cluster interface sit, clients only get offered the physical interfaces via the encryption domain (confirmed via RA client routing table). For example, I can traceroute to the VPN gateway's physical interfaces fine, but the cluster interface breaks out via the client's local gateway.

The checkbox to "Exclude gateway's external IP address from VPN domain" is NOT selected. The VPN domain is User defined, but as mentioned includes the entire subnet on which the VPN gateways external interfaces sit.

Would appreciate any and all ideas on how we can get our RA clients to hit the external IP / SAML portal WHILST connected via VPN.

Thanks,
Ruan

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2025-07-19 04:12 AM

So does this ONLY happen when they try to re-authenticate?

Andy

0 Kudos
Ruan_Kotze
Advisor
‎2025-07-19 04:59 AM
In response to the_rock

No - I can reproduce this anytime they're connected to the VPN - see my comments regarding the routes on the client.

0 Kudos
the_rock
Legend
Legend
‎2025-07-19 05:05 AM
In response to Ruan_Kotze

Gotcha...let me do some testing in the lab later to check.

Andy

the_rock
Legend
Legend
‎2025-07-19 06:01 AM
In response to the_rock

@Ruan_Kotze 

Just did some tests in my R82 lab, no issues. I have same option about external interface unchecked as you do, I simply made sure external interface IP is included in RA vpn domain, thats it.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events