Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jeanbruno
Participant

80.30SP and VPN routing

Hi,

 

We are hitting this limitations in Maestro architecture :

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

-------

  • It is not supported to configure a Scalable Platform 40000 / 60000 object or a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.
  • It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a a Scalable Platform 40000 / 60000 or a Maestro Security Group.

 

-------

We are redirecting the remote access traffic to a site to site VPN.

 

Client VPN <====Remoteaccess===> 80.30SP< ====SITE 2 SITE VPN======> Azure GW <--VNET--> Server

SG don't like and break TCP session. It's not supported  yet, there is an RFE coming.

 

However do you have an idea as a workaroud?

We were thinking NATting the remote access traffic behind a pool before sending it to the VPN ...

Thanks for your help

 

JB

 

 

 

 

 

5 Replies
jeanbruno
Participant

i got the answer from Check Point, it's not supported on 80.30SP . A hotfix is needed with RFE...

sk147033

Thanks

 

0 Kudos
Peter_Baumann
Contributor

Hi @jeanbruno 
Very interesting. We also have a customer with a migrated Maestro installation with a setup similar to this you described.
We see packet drops after 50s (TCP End Timer value) on the packets coming from the server back to the client.
You can see it with "g_fw ctl zdebug drop | grep <hidenat-ip-fw>"
Strange is that the drops are intermittent.

Workaround for now is a incoming fw rule which allows any traffic from server to vpn-client.

Do you have the same behavior at your installation?

Thanks,
Peter

0 Kudos
jeanbruno
Participant

Hi Peter,

What version are you running?

I got bad TCP séquences,first SYN not seen. UDP seemed ok. i didnt do zdebug drop cause TAC confirmed the not supported topology.

Client to Site Traffic over Site to Site VPN Tunnel is supported only in 81.10 according to CP.

0 Kudos
Peter_Baumann
Contributor

Hi @jeanbruno 
Customer is using R80.30SP with JHF which exactly I cannot see since I have no access to the fw right now.

0 Kudos
jeanbruno
Participant

Ok maybe same troubles than us. If you want full VPN support on 80.30SP you need to contact your sales CP and ask for the hotfix though RFE

And it can be installed only on top of Jumbo take 47.

0 Kudos