This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
paki
Participant
‎2026-04-09 05:08 AM

Remote Access VPN not working from public network

Hello everyone,

I am reaching out regarding an issue with Remote Access VPN connectivity and I would appreciate any insights.

When I try to create a new site connection using the Endpoint Security VPN client from a public network (such as home WiFi or mobile internet), the connection fails with the error: “Site creation failed. Failed to create the new site. Site is not responding.”

However, when I perform the same test from a DMZ network, the VPN connection works without any issues. I am able to connect successfully using the VIP IP address and everything functions as expected. Additionally, the Site-to-Site VPN tunnel is up and running correctly on the same interface (that is VIP IP).

In terms of configuration, I have two gateways configured in a ClusterXL setup and the VIP address is used for VPN communication (Remote access for clients and Site2Site VPN). Now, I am on product version Check Point Gaia R81.20.

My questions are the following:
what could be the reasons why Remote Access VPN does not work from a public network, while it works from internal or DMZ networks?

Also, is it possible to assign a separate IP address for the Site-to-Site IPsec tunnel instead of using the VIP address, in order to separate it from other VPN services?

Thank you in advance!

0 Kudos
7 Replies
simonemantovani
MVP Silver
MVP Silver
‎2026-04-09 07:56 AM

Hello

could you try to share any screenshot you can about the VPN configuration?

Did you try to catpure traffic on external interface of the firewall, to see if your traffic for site creation is arriving?

Thanks.

0 Kudos
paki
Participant
a month ago
In response to simonemantovani

I solved this problem but I posted this question that I don't get any response.
Could you please give me more information about this: is it possible to assign a separate IP address for the Site-to-Site IPsec tunnel instead of using the VIP address, in order to separate it from other VPN services? This address must be subject of device failover, not only physical interface address.

Thank you in advance!

0 Kudos
simonemantovani
MVP Silver
MVP Silver
a month ago
In response to paki

For what I know, you can only use IP addresses (VIP) configured on the firewall ... so the right answer is no you can't, unless you have two differente Internet connections .. and in any case it add complexity in my opinion; if you have only one internet connection there is no real reason and advantage to separate vpn service (and as I told you, is not possible).

(1)
paki
Participant
a month ago
In response to simonemantovani

Thank you for your quick response.

Everything is working fine now. I just wanted to ask for clarification for future reference in case I need to introduce additional services or make changes to the setup later.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-04-09 11:50 AM

Check out these settings. Second screenshot have impact also for normal site to site tunnels!

Second check traffic logs if https port is allowed. This is needed to setup the client VPN. 

image.pngimage.png

-------
Please press "Accept as Solution" if my post solved it 🙂
(1)
paki
Participant
a month ago
In response to Lesley

Thank you for your suggestion.

I have already reviewed and applied these settings and the current setup matches what you described. I also checked the traffic logs and verified that ports (UDP 500, UDP 4500, HTTPS 443) are allowed.

If possible could you please share a screenshot from the Network Management / Topology section (interfaces view)?
I would like to compare the interface configuration and topology settings to see if there are any differences that might explain the issue.

I have also created a simple diagram to illustrate my setup:
My side is a Check Point ClusterXL using a VIP address for VPN communication
Remote Access clients connect through the same VIP
There is also a Site-to-Site VPN tunnel to a 3rd-party (non-Check Point) device
Both Remote Access and Site-to-Site are working internally, but Remote Access fails from public networks.

Do you think this setup looks correct or is there something obvious I might be missing?

Thank you in advance.

Preview file
73 KB
0 Kudos
paki
Participant
a month ago
In response to paki

I would like to inform you that the issue has been resolved.

The problem was related to the Link Selection configuration. In IPsec VPN > Link Selection, I changed the setting from “Selected address from topology table” to “Statically NATed IP” and specified peer address.

After this change, Remote Access VPN works from public networks and the Site-to-Site VPN is also functioning correctly.

Thank you all for your help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events