This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hindrich
Explorer
‎2023-08-31 04:22 AM

SMB 1550 Probing failed / GAiA access problems

Hi,

I am currently facing different issues with a SMB 1550 appliance.

Quick info on the config, version and infrastructure.

The gateway has 2 WAN links configured. One on port WAN (fallback) and one on port LAN5 (main). We have a site-to-site VPN from the appliance to our maestro. The VPN is configured for high availability. Encryption Method is IKEv2.

The current firmware version of the SMB is R81.10.05.

First issue is that the fallback connection is always down. The error message is "In progress - gateway probing failed". After disabling and re-enabling the connection, it works for a few minutes. Then it returns to the same state as before. The provider says the WAN connection seems fine. I've also tried to reconfiguring the link, with no improvement. In SmartConsole, both WAN links are shown as internal, on all other devices that are working, the WAN connections are shown as external networks. I dont think this should be the case.

 

Second issue may be or not be a VPN problem, i cant tell. I cannot access the GAiA over VPN, SSH over VPN is working fine. Web interface takes forever to load. So it is theoretically reachable, but you cannot log in or do anything with it. When I try to access GAiA over the internet from our public network, I can connect to the GAiA portal.   Also all employees in the office can work as usual. This means they can access all resources through VPN from our head office.

 

If you need any more information, I will try to give it to you.

Best regards.

 

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-08-31 08:00 AM

I believe all the probing is done by pinging the default gateway.
I recommend monitoring the secondary WAN link with tcpdump to see exactly what’s going on.

tcpdump can also be used to troubleshoot the second issue as well.
Note that the gateway IP is considered part of the encryption domain, so the traffic may be sent via IPsec instead of direct.

0 Kudos
Hindrich
Explorer
‎2023-10-25 04:29 AM
In response to PhoneBoy

Hi PhoneBoy,

I have not seen your answer. Sorry for that.

I fixed the GAiA access problem by routing the traffic past the vpn tunnel. (Port for GAiA excluded in VPN community)

The problem that the device is not pingable and the probing failed still exists. Tcpdump shows that no icmp packets from my client arrive at the Security Gateway. I also excluded icmp as a service in the VPN community for testing, after that the ping from my client worked. Seems like I am pinging the public ip through the vpn.

I also ping the WAN interface of Security Gateway from our Maestro. There I got an answer from the interface, but I do not see any traffic with tcpdump on the SG's WAN interface.

Do you have any idea why this is happening?

 

Best regards.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-25 04:50 AM
In response to Hindrich

Are you still using R81.10.05 or have you upgraded since?

Additionally have you tested the Advanced option "Do not encrypt connections originating from the local gateway" ?

CCSM R77/R80/ELITE
0 Kudos
Hindrich
Explorer
‎2023-10-25 04:57 AM
In response to Chris_Atkinson

Hi, 

no, I have not updated the OS since then.

Also no. 

Thanks for the input, I will test this and let you know how it goes.

0 Kudos
Hindrich
Explorer
‎2023-10-26 02:36 AM
In response to Chris_Atkinson

Hi,

I've upgraded the Security Gateway to the latest version. It doesn't look like the upgrade has brought any improvement.

The advanced option "Do not encrypt connections originating from the local gateway" is not available on the SG because it is centrally managed.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-26 09:30 AM
In response to Hindrich

That option is available in R81.20 Central Management, though (or it should be).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top