This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NhatKha
Contributor
‎2024-09-26 10:50 PM

Stuck at 47% when RA VPN from internal network

Hello everyone,

 

Thanks for your attention to this matter.

Currently I'm unable connect Remote Access VPN from my internal network, although when I'm tried to connect from external, at home still successfully.

Product: 6600 appliance
Version: R81.20 take 84
Endpoint Security version E86.50, 88.40,...

Connect RA VPN using NATed IP (Statically NATed by ISP-Peplink)

When connecting to RA VPN from a device in the internal network, it gets stuck at 47% "User *** authenticated by FireWall-1 authentication".

image (2).png

Then failed:

image (3).png

Log showing no error:

image (4).png

Already tried:

 - In Global properties > RA > Enable Back Connections (from gateway to client).

 - Set "No" at Network location awareness.

https://support.checkpoint.com/results/sk/sk129492
https://support.checkpoint.com/results/sk/sk156172
https://support.checkpoint.com/results/sk/sk92716
https://support.checkpoint.com/results/sk/sk160672

 - Open with TAC still no luck

When I tried to use internal interface IP for create a site to connect, it success one time only: success => disconnect => connected again -> stuck at 47% -> failed => delete site => create new again => connect success => ... loop

Note: Problem happen only connect from internal network and our policy needed to RA VPN from internal to access some server.

Does anyone facing this problem before, please help me.

 

Thank you so much and have a great day!

Best regards,

Kha

 
extended_vpn_log.zip
0 Kudos
8 Replies
AkosBakos
Advisor
Advisor
‎2024-09-27 06:03 AM

Hi @NhatKha 

Did you dump the connection process on the RA gateway?

What is under IPsec VPN ->Link Selection?

I suppose that, when you create a VPNsite with internal address  ->the connection succeded for the first time -> at this time the client downloads the topology  -> because of the newly downloaded topology setting, the second try will be fail.

This is my first first guess 🙂

Akos

----------------
\m/_(>_<)_\m/
NhatKha
Contributor
‎2024-09-30 06:18 AM
In response to AkosBakos

Hello Akos,

I really appreciate your help.

Can you guide me how to dump the connection process on the RA gateway?

Under IPsec VPN ->Link Selection -> Always use this IP Address -> Statically NATed IP: IP NATed by ISP-Peplink (x.x.x.x).

I saw in the first time connect the log showing source from exactly IP of my device, but the second time the source is IP that connect with Checkpoint interface of Peplink (exam: checkpoint 172.16.9.8 ; peplink: 172.16.9.9). The second time try connect using internal IP, and connect using NAT IP always showing the source is 172.16.9.9. I still don't know why it redirect to that.

Do you have any ideals for this?

 

Thanks & Best Regard,

Kha

 
0 Kudos
the_rock
Legend
Legend
‎2024-09-27 06:05 AM

Does it make any difference if you try delete/recreate the site?

Andy

NhatKha
Contributor
‎2024-09-30 06:26 AM
In response to the_rock

Hello the_rock,

I check and see it's not have any difference when I'm tried delete/recreate the site, the difference here when I try to connect the second time.

But that delete/recreate only happen when we using internal IP, if using NAT IP its couldn't connect even from the first time. And it also doesn't make sense for us to force users to manually change their connection IP (or delete/recreate) when they work from home and at office.

We still want to use NAT IP to connect successfully from outside and inside the internal network.

Have you ever tried this problem before? Or if you have any ideals, please help us. 

 

Thanks & Best Regards,

Kha

 
0 Kudos
the_rock
Legend
Legend
‎2024-09-30 06:31 AM
In response to NhatKha

Wait a second...why do you have a need to do this INTERNALLY??

 

Andy

NhatKha
Contributor
‎2024-09-30 06:41 AM
In response to the_rock

Hello the_rock,

I know this is quite strange.
But because my company's policy has been like that since before, our environment is a school, each wifi zone will only be able to connect to its own partition, so when teachers or staff go to another wifi zone to teach/work, they sometimes need remote access from the inside because some places do not allow direct access to their resources.

It can be said that our network system planning is not good, but I remember that in my previous workplaces using Checkpoint, I could still VPN from the inside, so I am thinking that this is not a limitation of Checkpoint but this is a error somewhere.

 

Thanks & Best regards,

Kha

0 Kudos
the_rock
Legend
Legend
‎2024-09-30 06:50 AM
In response to NhatKha

Hey Kha,

No, thats totally FAIR, I understand now. Sorry, was not trying to be "intrusive" about it, just wanted to make sure logic is there.

Anyway, may have to do with below setting in global properties...can you see how its configured? I know clients I helped with this in the past would have their INTERNAL network listed in the group I pointed out to.

Andy

 

Screenshot_1.png

PhoneBoy
Admin
Admin
‎2024-09-30 07:47 AM
In response to NhatKha

This might be what you need to here: https://support.checkpoint.com/results/sk/sk103440

You would need a single FDQN in your DNS that:

  1. Resolves externally to the NAT IP
  2. Resolves internally to the real IP

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events