This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kristait
Contributor
‎2024-06-08 06:11 AM

Remote Access VPN Users Unable to Connect to Location 2 Servers.

RA-CP-VPN.JPG

Dear Checkpoint Community,

I am experiencing an issue with our VPN setup and would appreciate your assistance. The network topology is as follows:

  • Location 1:

    • Checkpoint 1800 SMB
    • Local Users
    • Local Servers

  • Location 2:

    • TP-Link Router
    • Local Servers

There is a site-to-site VPN established between Location 1 and Location 2, allowing seamless connectivity between the servers and users in these locations.

Issue: Users in Location 1 and the servers in Location 1 can successfully ping/connect to the servers in Location 2 through the site-to-site VPN. However, remote access (RA) VPN users connecting to the Checkpoint firewall at Location 1 are unable to connect to the servers in Location 2.

Steps Taken:

  • Verified the RA VPN configuration and connectivity to Location 1 resources.
  • Confirmed the site-to-site VPN is operational and allows traffic between Location 1 and Location 2 servers.
  • Checked the firewall rules to ensure there are no blocks on traffic from RA VPN users to Location 2 servers.

Despite these steps, RA VPN users still cannot access Location 2 servers. I suspect there might be an issue with the routing or access rules specific to RA VPN users.

Questions:

  1. Are there any specific settings required in the Checkpoint 1800 SMB to enable RA VPN users to access resources over a site-to-site VPN?
  2. What additional configurations or troubleshooting steps should I consider to resolve this issue?

Any guidance or suggestions would be greatly appreciated. Thank you in advance for your help!

0 Kudos
13 Replies
the_rock
Legend
Legend
‎2024-06-08 07:10 AM

I would say as long as vpn domains and rules are good, you should be fine. As far as troubleshooting, I would confirm the logs first, then maybe do some basic vpn checks, ie does it fail on phase 1 or 2? What do they see on the other side?

Andy

0 Kudos
kristait
Contributor
‎2024-06-08 08:13 AM
In response to the_rock

Hello @the_rock , Thank you for the response. please find attached logs screenshot for your reference.

CPF_Log1.JPGCPF_Log2.JPGFirewall rule.JPGTP-Link logs.JPG

0 Kudos
the_rock
Legend
Legend
‎2024-06-08 08:21 AM
In response to kristait

Do you see any dropped logs about it? Based on what you sent, I cant really "decipher" why this fails.

Andy

0 Kudos
kristait
Contributor
‎2024-06-08 08:29 AM
In response to the_rock

Not able to see any dropped logs when I try to ping from RA User to location 2 servers, attached the screenshot.

Security Logs.JPGSecurity Logs_1.JPG

0 Kudos
the_rock
Legend
Legend
‎2024-06-08 08:31 AM
In response to kristait

Might be worth TAC case to check further, sorry, I dont work often with SMB : - (

0 Kudos
kristait
Contributor
‎2024-06-08 08:41 AM
In response to the_rock

The case is already open with the support team (SR Number: 6-0003950608) and has been for a few weeks, but they have not been able to assign an engineer yet.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-10 07:41 AM

Did you set the Remote Access Encryption Domain to include Location 2's resources?
This is done in VPN > Remote Access > Advanced
Click on the link in the sentence Local encryption domain is defined automatically according to topology...
Users will need to re-add the site to their client after this.

0 Kudos
kristait
Contributor
‎2024-06-11 07:16 PM
In response to PhoneBoy

Hello @PhoneBoy,

I have added Location 2's resources to the Local encryption domain, but Remote Access users are still unable to access these resources. Please refer to the attached screenshot of the configuration and logs. As you can see, there are no drops.Security Logs_3.JPGLocal encryption.JPG

PhoneBoy
Admin
Admin
‎2024-06-11 07:39 PM
In response to kristait

Did the users delete and re-add the site on their end?
If so and this persists, you may need the TAC to investigate: https://help.checkpoint.com 

0 Kudos
kristait
Contributor
‎2024-06-11 07:45 PM
In response to PhoneBoy

Hello @PhoneBoy, yes, while troubleshooting, I deleted the site and reconfigured it from both ends, but the issue still persists. I have also raised a TAC case (Case #: 6-0003950608), but they have not provided a proper solution.

0 Kudos
the_rock
Legend
Legend
‎2024-06-11 07:46 PM
In response to kristait

Keep us posted how it goes with TAC.

Andy

kristait
Contributor
‎2024-08-06 08:35 AM
In response to the_rock

Sorry to say, but we are opting to use a third-party service for our VPN needs, as TAC has been unable to resolve the issue. We hope that the R82 firmware for SMB locally managed devices will address this issue.

Does anyone know when the R82 firmware for SMB firewalls will be released?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-12 10:02 AM
In response to kristait

R82 for SMB is most likely next year (note R82 is not GA for regular Quantum Appliances yet).

SAML Support (something you mentioned in your SR) is actually planned for R81.10.15, which is currently in EA.
It's also not clear from the SR if you included the networks behind the TP-Link router in your Remote Access Encryption Domain.
This needs to be configured correctly for this to work.
Additionally, make sure the TP-Link knows to route the Office Mode addresses back to you (these are the IPs the clients will receive on connection).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top