This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2018-03-27 02:08 PM

Connections to remote site originating from SMB gateway

Hello guys,

I am having an issue in which the SMB 1400 cannot access hosts (DNS, DHCP, NTP servers) on a remote network via site-to-site VPN. Connections originating from the internal hosts work great.

I have checked the advanced option "Use internal IP address for encrypted connections from local gate", but now connections are started with the SYNC interface IP address instead of an IP in the local encryption domain, so they are dropped before entering the VPN tunnel:

;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 10.231.149.2:2048 -> 172.16.1.2:29833 dropped by vpn_encrypt_chain Reason: No error;

How can I make this work correctly?

3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-03-28 03:43 AM

The question is hard as very few information is given:

- i would assume that this 1400 is locally managed (although it is an expensive 1400), as the Advanced Setting mentioned is only available when locally managed

- is "Disable NAT for this SIte" enabled in VPN Site definition ?

- how are the Encryption Domains defined ?

- what is the Error when the SMB 1400 cannot access hosts and where is the packet dropped ?

- which GW is the VPN peer and what do the logs show there ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pedro_Espindola
Advisor
‎2018-03-28 01:02 PM
In response to G_W_Albrecht

I'm sorry, I did omit a lot of information.

1. Yes, the appliance is locally managed.

2. NAT is disable for this site

3. Local encryption domain is manually set for 3 internal networks, which obviously does not include the cluster SYNC network.

4. The connections times out, zdebug shows:

;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 10.231.149.2:2048 -> 172.16.1.2:29833 dropped by vpn_encrypt_chain Reason: No error;

10.231.149.2 is the sync IP address and 172.16.1.2 is the host in the remote site.

5. Peers are AWS and Azure. I do not think there is any issue there. The packet simply won't get there, since the GW is using an IP that is not (and should not be) in the encryption domain.

Mainly, my question is: can I make the 1400 use an internal IP from a network that is in the encryption domain or do I have to redo all VPN site configs to include the SYNC network? (including AWS and Azure gws configs)

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-29 12:03 AM
In response to Pedro_Espindola

I would suggest to ask TAC for help !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events