This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
madu1
Contributor
Friday

Remote Access VPN Issue on /31 ISP

I've got an R81.20 gateway where everything works fine, including Remote Access VPN.

Today I've tried to switch to a new ISP circuit.  The new circuit is a /31 subnet, so just the firewall and the ISP router.  Interface IP, default gateway, Toplogy etc. all updated.  Everything else works fine - Internet access, NAT (in and out), email in and out.  But Check Point Mobile clients will no longer connect. 

In tcpdump I see the client sending traffic hitting the firewall and it's accepted in the logs on the correct rule, but the gateway never answers.  It's like the traffic just falls into a black hole.  Turning on remote access Control Connections in Global Properties makes no difference either.

I switched back to the old ISP line (on a /29 subnet) and VPN clients work perfectly again.

The only difference is the new ISP circuit being a /31 subnet.  Could this alone really be the reason why VPN clients won't connect?  Or more specifically why the gateway receives the connecting traffic but fails to reply with a single packet back?

I know /31 subnets have been a problem in the past on SMB appliances, but is this also the case on non-SMB gateways?

0 Kudos
3 Replies
the_rock
Legend
Legend
Friday

According to below, it is supported.

Andy

https://support.checkpoint.com/results/sk/sk91020

Now, just to confirm, is it the case where you create a site, but user cant connect?

 

0 Kudos
madu1
Contributor
Friday
In response to the_rock

Thanks for finding that SK.

I did some more testing before I left site.  I was testing with a new laptop so in fact the problem is that I cannot even create the site via the new line.  Traffic gets to the gateway, the gateway never replies, and the client times out with a "gateway not responding" message.

I then put the laptop onto the LAN and was able to create the site with no problem.

After that I went back onto the Internet and tried to connect.  This time it DID connect.  At least as far as the SAML login pop-up.  I didn't bother changing all the SAML stuff with the new URL/IP as I knew I'd need to roll back anyway, but at least it then connected.  So it's just initially creating the site that doesn't work.

As soon as I went back to the old /29 ISP line I could once again create a new VPN site with no problem.

So with the old ISP and the LAN both allowing me to create a new site, I'm thinking it can only be due to the fact that the new ISP is a /31 and it won't work.  I've raised a case with TAC.

0 Kudos
the_rock
Legend
Legend
Friday
In response to madu1

That all makes sense to me! Let us know how it goes.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events