Endpoint Security VPN

dkzndkqh · ‎2025-03-17

My client currently has Firewall A and Firewall B, which are connected via an IPsec VPN. However, when using Capsule VPN (Windows), whether the gateway is set to Firewall A or Firewall B, access to the internal network works. But with Endpoint Security VPN, unlike with Capsule VPN, access to the internal network of each firewall is not possible. Has anyone experienced a similar situation? When pinging, the packets don't even reach the firewall. It's not a policy issue.

Chris_Atkinson · ‎2025-03-17

Gateway & client version, is MEP configured?

Does this effect all users/clients or just your specific location and what type of ISP link is used e.g. IPV6 or CGNAT etc

CCSM R77/R80/ELITE

dkzndkqh · ‎2025-03-17

No, current vpn community is mesh type , so it is not an MEP configuration , and it applies to all users connecting via Endpoint Security VPN regardless of location. The ISP is using CGNAT."

the_rock · ‎2025-03-17

Just curious, does deleting and re-creating tyhe site works? If not, then we would need to do captures to see if you even see any traffic on tunnel test port 18234?

Andy

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2025-03-17

@dkzndkqh

See my lab example...IMPORTANT to point out, see how last flag shows Oe, meaning outbound and encrypted.

Andy

[Expert@R82:0]# fw monitor -e "accept port(18234);"
PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable
PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_off
PPAK 0: Get before set operation succeeded of fwmonitorfreebufs
************************************************************** NOTE **************************************************************
*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***
************************************************************************************************************************************
FW monitor will record only ip & transport layers in a packet
For capturing the whole packet please do -w
PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
PPAK 0: Get before set operation succeeded of fwmonitormaxpacket
PPAK 0: Get before set operation succeeded of fwmonitormask
PPAK 0: Get before set operation succeeded of fwmonitorallocbufs
PPAK 0: Get before set operation succeeded of printuuid
[vs_0][fw_1] eth0:i[40]: 172.17.10.1 -> 172.16.10.253 (UDP) len=40 id=1
UDP: 18534 -> 18234
[vs_0][fw_1] eth0:I[40]: 172.17.10.1 -> 172.16.10.253 (UDP) len=40 id=1
UDP: 18534 -> 18234
[vs_0][fw_1] eth0:o[40]: 172.16.10.253 -> 172.17.10.1 (UDP) len=40 id=1
UDP: 18234 -> 18534
[vs_0][fw_1] eth0:O[40]: 172.16.10.253 -> 172.17.10.1 (UDP) len=40 id=1
UDP: 18234 -> 18534
[vs_0][fw_1] eth0:Oe[40]: 172.16.10.253 -> 172.17.10.1 (UDP) len=40 id=1
UDP: 18234 -> 18534
[vs_0][fw_1] eth0:i[40]: 172.17.10.1 -> 172.16.10.253 (UDP) len=40 id=1
UDP: 18535 -> 18234
[vs_0][fw_1] eth0:I[40]: 172.17.10.1 -> 172.16.10.253 (UDP) len=40 id=1
UDP: 18535 -> 18234
[vs_0][fw_1] eth0:o[40]: 172.16.10.253 -> 172.17.10.1 (UDP) len=40 id=1
UDP: 18234 -> 18535
[vs_0][fw_1] eth0:O[40]: 172.16.10.253 -> 172.17.10.1 (UDP) len=40 id=1
UDP: 18234 -> 18535
[vs_0][fw_1] eth0:Oe[40]: 172.16.10.253 -> 172.17.10.1 (UDP) len=40 id=1
UDP: 18234 -> 18535
^C monitor: caught sig 2
monitor: unloading
PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable
PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_off
PPAK 0: Get before set operation succeeded of fwmonitorfreebufs
[Expert@R82:0]#

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

Endpoint Security VPN