Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kristait
Contributor

Remote Access VPN Users Unable to Connect to Location 2 Servers.

RA-CP-VPN.JPG

Dear Checkpoint Community,

I am experiencing an issue with our VPN setup and would appreciate your assistance. The network topology is as follows:

  • Location 1:

    • Checkpoint 1800 SMB
    • Local Users
    • Local Servers
  • Location 2:

    • TP-Link Router
    • Local Servers

There is a site-to-site VPN established between Location 1 and Location 2, allowing seamless connectivity between the servers and users in these locations.

Issue: Users in Location 1 and the servers in Location 1 can successfully ping/connect to the servers in Location 2 through the site-to-site VPN. However, remote access (RA) VPN users connecting to the Checkpoint firewall at Location 1 are unable to connect to the servers in Location 2.

Steps Taken:

  • Verified the RA VPN configuration and connectivity to Location 1 resources.
  • Confirmed the site-to-site VPN is operational and allows traffic between Location 1 and Location 2 servers.
  • Checked the firewall rules to ensure there are no blocks on traffic from RA VPN users to Location 2 servers.

Despite these steps, RA VPN users still cannot access Location 2 servers. I suspect there might be an issue with the routing or access rules specific to RA VPN users.

Questions:

  1. Are there any specific settings required in the Checkpoint 1800 SMB to enable RA VPN users to access resources over a site-to-site VPN?
  2. What additional configurations or troubleshooting steps should I consider to resolve this issue?

Any guidance or suggestions would be greatly appreciated. Thank you in advance for your help!

0 Kudos
13 Replies
the_rock
Legend
Legend

I would say as long as vpn domains and rules are good, you should be fine. As far as troubleshooting, I would confirm the logs first, then maybe do some basic vpn checks, ie does it fail on phase 1 or 2? What do they see on the other side?

Andy

0 Kudos
kristait
Contributor

Hello @the_rock , Thank you for the response. please find attached logs screenshot for your reference.

CPF_Log1.JPGCPF_Log2.JPGFirewall rule.JPGTP-Link logs.JPG

0 Kudos
the_rock
Legend
Legend

Do you see any dropped logs about it? Based on what you sent, I cant really "decipher" why this fails.

Andy

0 Kudos
kristait
Contributor

Not able to see any dropped logs when I try to ping from RA User to location 2 servers, attached the screenshot.

Security Logs.JPGSecurity Logs_1.JPG

0 Kudos
the_rock
Legend
Legend

Might be worth TAC case to check further, sorry, I dont work often with SMB : - (

0 Kudos
kristait
Contributor

The case is already open with the support team (SR Number: 6-0003950608) and has been for a few weeks, but they have not been able to assign an engineer yet.

0 Kudos
PhoneBoy
Admin
Admin

Did you set the Remote Access Encryption Domain to include Location 2's resources?
This is done in VPN > Remote Access > Advanced
Click on the link in the sentence Local encryption domain is defined automatically according to topology...
Users will need to re-add the site to their client after this.

0 Kudos
kristait
Contributor

Hello @PhoneBoy,

I have added Location 2's resources to the Local encryption domain, but Remote Access users are still unable to access these resources. Please refer to the attached screenshot of the configuration and logs. As you can see, there are no drops.Security Logs_3.JPGLocal encryption.JPG

PhoneBoy
Admin
Admin

Did the users delete and re-add the site on their end?
If so and this persists, you may need the TAC to investigate: https://help.checkpoint.com 

0 Kudos
kristait
Contributor

Hello @PhoneBoy, yes, while troubleshooting, I deleted the site and reconfigured it from both ends, but the issue still persists. I have also raised a TAC case (Case #: 6-0003950608), but they have not provided a proper solution.

0 Kudos
the_rock
Legend
Legend

Keep us posted how it goes with TAC.

Andy

kristait
Contributor

Sorry to say, but we are opting to use a third-party service for our VPN needs, as TAC has been unable to resolve the issue. We hope that the R82 firmware for SMB locally managed devices will address this issue.

Does anyone know when the R82 firmware for SMB firewalls will be released?

 

0 Kudos
PhoneBoy
Admin
Admin

R82 for SMB is most likely next year (note R82 is not GA for regular Quantum Appliances yet).

SAML Support (something you mentioned in your SR) is actually planned for R81.10.15, which is currently in EA.
It's also not clear from the SR if you included the networks behind the TP-Link router in your Remote Access Encryption Domain.
This needs to be configured correctly for this to work.
Additionally, make sure the TP-Link knows to route the Office Mode addresses back to you (these are the IPs the clients will receive on connection).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events