This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Satto
Participant
‎2025-07-24 06:36 AM
Jump to solution

Can't access Mgn though VPN

Hi,

 

I have many site behind a private ISP (Have no control here), all site is cluster, all running R81.20.

All site communicat to the Management server directly on the private ISP network, and all GW is member of a meshed VPN.

All the FW have no problem communicat to the Mgn, all cert and keys are update, so no problem here.

The VPN tunnel has no issue between the 192.168.x.x network, the problem starts when we need to communicate to the 10.161.100.x network, that is behind the FW1.
No problem with access from Com1 to Mgn, but Com2 or 3 can't talk with Mgn.

Mgn can't use the smtp mail server that is locate behind FW3, or ping any other network that belongs to the VPN network.

 

What I can see in the log, is that all Mgn request is route directly out on the external Interface on FW1.

Same happen to Com2 and 3, the request is going out on the local FW external interface.

All site proberly know that the 10.161.x.x is on the external network, so it just send it there.

I don't want any Mgn traffic with other Gateways stop working, but how can I trik the system to send local request to the Mgn server on the VPN network?

Hope you have the info you need... (Network pic is include)
/Steen

 

 

Preview file
43 KB
0 Kudos
3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-07-24 12:23 PM
Jump to solution

So this is traffic from the management server itself, correct?
By design, management traffic is NOT routed through VPN.
To fix this would involve hacking implied rules and such, which will make management traffic dependent on the VPN being active.
This is not recommended.
Read the following two (similar) threads on this topic:

View solution in original post

the_rock
MVP Platinum
MVP Platinum
‎2025-07-24 12:27 PM
In response to PhoneBoy
Jump to solution

Right, always forget about that. @Satto , below sk should help too.

Andy

https://support.checkpoint.com/results/sk/sk105719

Best,
Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-28 05:05 AM
In response to Satto
Jump to solution

Something outside of the encryption domain, yes.

View solution in original post

0 Kudos
10 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-07-24 09:42 AM
Jump to solution

What does zdebug show?

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-24 12:23 PM
Jump to solution

So this is traffic from the management server itself, correct?
By design, management traffic is NOT routed through VPN.
To fix this would involve hacking implied rules and such, which will make management traffic dependent on the VPN being active.
This is not recommended.
Read the following two (similar) threads on this topic:

the_rock
MVP Platinum
MVP Platinum
‎2025-07-24 12:27 PM
In response to PhoneBoy
Jump to solution

Right, always forget about that. @Satto , below sk should help too.

Andy

https://support.checkpoint.com/results/sk/sk105719

Best,
Andy
0 Kudos
Satto
Participant
‎2025-07-24 11:09 PM
In response to the_rock
Jump to solution

Hi,

 

Thanks for all your answer, but Im not sure that we are on the right track.

I have 2 problems, if we look att the mail problem first, maybe i'll better understand the smartconsol/cli problem later.

So why does the FW1 send the mail trafic from the Mgn server out on the Internet interface, when it knows that the 192.168.4.0/24 network is behind the FW3 using VPN.

The network 10.161.100.0/24 is published by our Privat ISP and route to 10.161.1.11, it is used as a type DMZ.

 

@;15761032.89339;[vs_0];[tid_1];[fw4_1];fwuser_process_packet: Got packet dir 1, 10.161.100.100:31306 -> 192.168.4.200:0 IPP 1, with dir 0 ;
@;15761032.89348;[vs_0];[tid_1];[fw4_1];cpxl_chain_handler: <dir 0, 10.161.100.100:31306 -> 192.168.4.200:0 IPP 1> is not accelerated (EXFLAG set), returning;
10.161.100.100 -> 192.168.4.200 ICMP type 8, code 0 ;
10.161.100.100 -> 192.168.4.200 ICMP type 8, code 0 ;

/Steen

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-25 03:40 AM
In response to Satto
Jump to solution

For that, did you try turn off sxl as a test?

Andy

Best,
Andy
0 Kudos
Satto
Participant
‎2025-07-25 04:57 AM
In response to the_rock
Jump to solution

Hi,

 

No difference in behavior when off.

 

/Steen

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-25 05:37 AM
In response to Satto
Jump to solution

K, fair enough. I would double check with TAC via remote session, just to make sure possibly something simple is not missing here.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-25 06:40 AM
In response to Satto
Jump to solution

It's exactly what I said above: traffic from the management (ALL TRAFFIC not just that for managing gateways) is NOT sent over VPN.
This is by design.

0 Kudos
Satto
Participant
‎2025-07-27 11:12 PM
In response to PhoneBoy
Jump to solution

Hi,

 

Okay, so if I want to send email using a server on another site, It need to connect on the outside of the GW on that site?

Thanks, is nice to understand why, so i don't need to trace the error anymore.

/Steen

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-28 05:05 AM
In response to Satto
Jump to solution

Something outside of the encryption domain, yes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events