- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello,
we have centally managed Appliance 1900 with RAS VPN configured. The SMB has been added to a cluster consisting of a single node.
I can connect, but in the routing table I see all my networks and interfaces instead of the manually specified encryption domain. Why doesn't the security gateway see the local domain?
Thank you!
This is a known shortcoming:
https://support.checkpoint.com/results/sk/sk141335
Set the topology to "Manually defined on the Security Management server, based on the below Topology Table"
and make sure all interfaces are defined correctly:
Hello All!
Finally we found the sollution with CheckPoint Support - we were really close: the sk141335 and sk92676 must be implemented simultaneously!
Thank you very to all of you!
Did this ever work? Does deleting/re-creating the site do anything?
Andy
This is a new setup, but we have another Appliance, that is not a member of the cluster and not managed centralized - it works there.
The recreation of the site didn't help. The strange thing is, that CLI shows "enc-dom auto" 🤷🏼
I dont really work much with SMB appliances, but see in smart console, when you edit the object, is there anything like on regular gaia appliances under network -> vpn domain? If so, you can check to make sure same group is configured for remote access vpn domain.
Andy
VPN Domain is for SiteToSite VPN. This works. I will open a ticket...
I was given this article, but it didn't help and I'm not sure this is my case at all: what is the difference between "all the gateways" and "connected gateway"?
Endpoint client downloads the encryption domain of all the gateways in the Remote Access community including the gateway's topology.
Currently there is no option to configure the client to download the topology of the connected gateway only.
Does not sound to me like your case either.
Andy
I found this in the logs on my PC:
[ 3880 4280][9 Apr 11:25:31][CONFIG_MANAGER] ConfigurationManager::addIPRange(): attribute name IP_RANGE, attribute value - list of wrong addresses
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] is_secondary_connect_enabled_and_supported_on_gw: enter...
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] is_secondary_connect_enabled_and_supported_on_gw return value false, because it is Gateway config variable. Scope: site XXX.XXX.XXX.XXX ,gw NULL ,user USER
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] is_secondary_connect_enabled_and_supported_on_gw: site XXX.XXX.XXX.XXX support 'secondary connect': 0
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] ConfigurationManager::getIPRangeWithAttrName() inside. Attribute name: IP_RANGE
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] ConfigurationManager::getIPRangeWithAttrName() inside. Attribute name: EXCLUSION_RANGE
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] ConfigurationManager::getIPRangeWithAttrName() inside. Attribute name: INCLUSION_RANGE
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: enter...
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip0 / yyy.yyy.yyy.0 - ip-range-last-ip0 / yyy.yyy.yyy.255
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip1 / www.www.www.0 - ip-range-last-ip1 / www.www.www.255
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip2 / fff.fff.fff.0 - ip-range-last-ip2 / fff.fff.fff.255
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip3 / ccc.ccc.ccc.0 - ip-range-last-ip3 / ccc.ccc.ccc.255
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip4 / nnn.nnn.nnn.nnn - ip-range-last-ip4 / nnn.nnn.nnn.nnn
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip5 / 192.168.2.0 - ip-range-last-ip5 / 192.168.2.255
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip6 / XXX.XXX.XXX.XXX - ip-range-last-ip6 / XXX.XXX.XXX.XXX
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip7 / ttt.ttt.ttt.ttt - ip-range-last-ip7 / ttt.ttt.ttt.ttt
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: about to set 'allowed-ip-ranges-num' to 8
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setExclusionRangesOnConnData: enter...
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setExclusionRangesOnConnData: about to set 'exclusion-ranges-num' to 0
Any idea where to configure this?
When you "add a site" you are not only adding the encryption domain of the gateway you are connect to (i.e. to add the site), you are adding the Remote Access encryption domain of every other gateway that is under the same management domain.
Which means the routes that will be set on your Remote Access client will cover more than just the 1900.
As noted above, this is expected behavior.
But I don't have any other gateways that are under the same management domain. If I add a second node to the cluster - will it solve the problem?
I have exactly opposite: the added routes are from 1900 - they belong to all enabled interfaces on the 1900. How can I add more networks to the client?
For now, It looks like the clustered RAS doesn't work out of the box (
It is highly unusual to run a cluster with a single node.
However, I don't believe it will help to add the node to the clusters?
The version of firmware involved on the 1900 as well as the version/JHF on your management will be helpful for context.
For the "more networks" you want to add to the encryption domain, do you have routes for these networks configured on the 1900 already?
"More networks" - they belong to encryption domains of some S2S VPN. So, our users connect to our office and then go to resources located on a supplier site. Typical configuration.
You say it is unusual. OK, imagine we have classic two-node cluster. Then one node is crushed - is it still two-node cluster? Right now I can't add the second node, because it serves as main router. But tomorrow evening I will try it.
Version will come a bit later, but it is the last one.
Not sure how adding the cluster member will make this work.
Are those S2S VPNs already set up and working correctly on the device?
Yes, the S2S work correctly
Im with Phoneboy on this one...vpn domain would not have anything to do with the fact whether something is a cluster, single device or standalone.
Andy
The fact is, that RAS works on a standalone FW - a client gets all routes from encryption domain.
Once the FW is added into the cluster - it stop working: no routes from VPN domain are added.
Anyway, I need to make this work...
Ok, lets take a step back here. So just for the context, can you please make sure that VPN domain used for single fw is exactly the SAME as when its a cluster? Also, if it is the same, can you have someone delete/re-create the site and test?
Andy
Yes, the VPN domain for RAS is the same. I didn't change it, but just added the fw to the cluster.
Yes, I have already recreated the connection (this is the site, right?) on the VPN client - didn't help.
I dont see any screenshots in your response, so cant tell exactly what you meant for the site. If you are allowed to do remote, happy to check it with you. Im good till 9 am est (GMT-5).
Let me know.
Andy
Thank you Andy, unfortunately, remote assistance is not allowed...
This is VPN Domain for the RAS 👇
And this is the Site/Connection 👇
Thats totally fair, my intention is always to try my best to help, but of course everyone has to follow their company's rules, thats 100% expected.
Anywho, that looks right to me, but another question...what does rule look like to access these resources in the policy, can you show that?
Also, from my experience, when this happens, its usually because vpn domain is wrong or something in the needed rule is "missing".
Andy
the rules are quite simple (we have many clients who have such configuration)
- the "office mode Network" is member of "local_networks"
let me try to install policies explicitly for the cluster instead of "Policy Targets"
That looks right...ok, just to clarify, you say this ONLY happens in cluster environment, NOT otherwise?
Andy
yes, for some reason it doesn't work when we use cluster environment. When we use standalone FW - everything works 👍 I hope this is related to the number of nodes in the cluster and adding a second node tonight will solve the problem 🙏 I have no other ideas...
Im with you there, I got nothing else either, sorry 😞
Did you end up opening TAC case for this?
Andy
yes, TAC also does their best
Just for the context, can you please list everything tried so far?
Andy
I've check all settings - everything looks good. Also I did this:
sk78180 - Disabling MEP for Endpoint VPN Client
sk92676 - Remote Access client download routes from all gateways in the Remote Access Community
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY