Solved: Re: Appliance 1900 doesn't recognise local encrypt... - Page 2

Exonix · ‎2025-03-27

Hello,

we have centally managed Appliance 1900 with RAS VPN configured. The SMB has been added to a cluster consisting of a single node.

I can connect, but in the routing table I see all my networks and interfaces instead of the manually specified encryption domain. Why doesn't the security gateway see the local domain?

Thank you!

the_rock · ‎2025-04-10

Im gonna be 100% honest with you...none of this makes much logical sense to me. I dont personally see how this can even happen, specially considering that VPN domain stays the SAME, so it really begs the question, what else changes?

Those SKs you listed would appear to be relevant to this, at least in my opinion.

On another note, is this split or full tunnel?

Andy

the_rock · ‎2025-04-10

I know what I will say now is probably "shot in the dark" as the saying goes, but I recall one time, while back, I was having similar issue with a customer and we discovered when failover was initiated, all worked fine...how, I have no clue, but when we failed back, all was okay again.

Maybe something to try...

Andy

Exonix · ‎2025-04-10

let me show you something that can cause my problem:

the_rock · ‎2025-04-10

That tells me issue with clustering config, run below on both to compare.

Andy

cphaprob roles

cphaprob state

cphaprob -l list

cphaprob -i list

cphaprob syncstat

Exonix · ‎2025-04-10

I've opened a new topic for Cluster issue, could you please check it?

the_rock · ‎2025-04-10

Just responded with same lol

Andy

the_rock · ‎2025-04-11

Hey mate, did you manage to get this fixed with the cluster setup?

Andy

Exonix · ‎2025-04-12

Hi Andy, no, i didn't. I just moved everything to the standalone Node that is centrally managed now (so we moved one little step forward). Now I will work with support, but from Monday. Today I got another issue with another cluster, that was working till today...

the_rock · ‎2025-04-12

K, just responded there.

Andy

the_rock · ‎2025-04-15

Hey mate, any luck with this?

Andy

Exonix · ‎2025-04-16

Hallo Andy,

unfortunately, I didn't get any further, but I had the opportunity to test the RAS VPN on another single-node cluster, the Applicance 9000 R81.20 - it works...

the_rock · ‎2025-04-16

Okay, no problem...so is clustering functional at this point, at least?

Andy

PhoneBoy · ‎2025-04-16

Clustering on SMB is a little different than non-SMB.
While a single node cluster may be ok for temporary (eg failure situation), you’d still have two cluster nodes configured until you repair/replace the other.
This not like the situation where a second cluster node has never been configured (your case).
In theory it should work, but it seems like you’re running into some sort of bug.
If you haven’t already, I suggest engaging TAC.

Exonix · ‎2025-04-16

a few days ago, we also tested a cluster with two nodes - the same behavior: my laptop didn't get any routes from the VPN domain, but only local routers on gateway.

Exonix · ‎2025-06-16

Just to update this case - the CheckPoint Support is still working on it...

G_W_Albrecht · ‎2025-06-16

This is a known shortcoming:

https://support.checkpoint.com/results/sk/sk141335

Set the topology to "Manually defined on the Security Management server, based on the below Topology Table"
and make sure all interfaces are defined correctly:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Exonix · ‎2025-06-16

G_W_Albrecht thank you very much! now i see requered networks, but the routing table is strange: in the encryption domain, I have a network 192.168.0.0/22, but why was it split multiple times?

        192.168.0.0    255.255.255.0     172.16.100.2     172.16.100.3      1
        192.168.0.0  255.255.255.255     172.16.100.2     172.16.100.3      1
        192.168.0.2  255.255.255.254     172.16.100.2     172.16.100.3      1
        192.168.0.4  255.255.255.252     172.16.100.2     172.16.100.3      1
        192.168.0.8  255.255.255.248     172.16.100.2     172.16.100.3      1
       192.168.0.16  255.255.255.240     172.16.100.2     172.16.100.3      1
       192.168.0.32  255.255.255.224     172.16.100.2     172.16.100.3      1
       192.168.0.64  255.255.255.192     172.16.100.2     172.16.100.3      1
      192.168.0.128  255.255.255.128     172.16.100.2     172.16.100.3      1
        192.168.1.0    255.255.255.0     172.16.100.2     172.16.100.3      1
        192.168.2.0    255.255.254.0     172.16.100.2     172.16.100.3      1

G_W_Albrecht · ‎2025-06-17

How are the interfaces configured ? And what is 192.168.0.1 that is missing here ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Exonix · ‎2025-06-27

the interfaces are configured in the simple way as on non-clustered node.
192.168.0.1 is the Gateway IP.

Exonix · ‎2025-06-27

a short update: the firmware update to R81.10.17 (996004620) didn't help, in a week we have a remote session with Support to check the router angain and to collect new debug logs

Exonix · ‎2025-07-28

Hello All!

Finally we found the sollution with CheckPoint Support - we were really close: the sk141335 and sk92676 must be implemented simultaneously!

Thank you very to all of you!

Are you a member of CheckMates?

Appliance 1900 doesn't recognise local encryption domain