This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Graham1
Contributor
‎2023-12-27 04:27 PM
Jump to solution

Azure to On-Prem VPN policy change while VPN is down

I am currently testing CloudGuard Network.  Previously I have a working Site-2-Site VPN working to my on-premises 6700.  Both were managed by the same Management server (again on-prem).

Today I unfortunately had to change the External IP of my 6700 due to ISP requirements.  

I am seeing that the 6700 is still using the old external IP which of course is failing:
# tcpdump -nni any host 20.151.201.XX and port 4500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:54:41.350998 IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x163), length 100 14:54:41.351001 ethertype IPv4, IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x163), length 100
14:54:41.550805 IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x164), length 100 14:54:41.550807 ethertype IPv4, IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x164), length 100
14:54:41.924931 IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x165), length 100 14:54:41.924933 ethertype IPv4, IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x165), length 100

The only way I have fixed this previously is to push a new policy, which I can't do with the policy down.

My next thought is to attach a new temp public IP to the backend vnet, but I think the policy will block that too.
I do have a case open with Support, but thought I would try here as well.

Anything else I can try?

0 Kudos
1 Solution

Accepted Solutions
Graham1
Contributor
‎2023-12-28 09:56 AM
In response to PhoneBoy
Jump to solution

Thanks for the replies everyone.  This was really strange one for me since I was seeing both ends of the VPN still trying to use the old IP of the on-prem GW, even though I updated the IPSEC VPN link selection (manual to external IP). 

I spent some time with Support last night and they couldn't resolve the issue either and the next step was going to be upgrade from R81.10 take 66 to take 130.  I did see that there are many VPN fixes in the versions between, but I only get yearly  maintenance windows, unless emergencies occur.  

I had pushed multiple polices for both ends since it is centrally  managed, but no luck.

Finally the fix:  remove GWs from the VPN community, install policy, re-add GWs to community and install policy again.

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-12-27 07:14 PM
Jump to solution

If you are indeed testing I would suggest building the scenario so that Management traffic isn't via the VPN where possible.

Refer also sk104582.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2023-12-27 09:09 PM
Jump to solution

Your last comment about backend vnet makes sense to me.

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-28 09:35 AM
Jump to solution

Anytime you change the management IP (as the gateway sees it), you need to push a new policy.
On the gateway, you can do an fw unloadlocal, which unloads the existing security policy and should allow this.

Graham1
Contributor
‎2023-12-28 09:56 AM
In response to PhoneBoy
Jump to solution

Thanks for the replies everyone.  This was really strange one for me since I was seeing both ends of the VPN still trying to use the old IP of the on-prem GW, even though I updated the IPSEC VPN link selection (manual to external IP). 

I spent some time with Support last night and they couldn't resolve the issue either and the next step was going to be upgrade from R81.10 take 66 to take 130.  I did see that there are many VPN fixes in the versions between, but I only get yearly  maintenance windows, unless emergencies occur.  

I had pushed multiple polices for both ends since it is centrally  managed, but no luck.

Finally the fix:  remove GWs from the VPN community, install policy, re-add GWs to community and install policy again.

the_rock
Legend
Legend
‎2023-12-28 09:59 AM
In response to Graham1
Jump to solution

Odd you had to do that to fix the problem, but hey, as long as it works ; - )

Thanks for the update.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events