Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
maad-pul
Participant

Could 3rd party VPN peer be a Check Point remote Interopable Device?

Hi,

When Check Point refer to "3rd party VPN peer" in documentation/SK, could that be a Check Point remote device?
We are dealing with a bug where customer don´t think the problem is related to the bug (sk165003) because the bug mention "3rd party VPN peer". Both ends (we and customer) running Check Point but the Check Point appliances are in totaly diferent management system etc. Whats your thought about "3rd Party peer"? Are "3rd Party peer" all vendors except Check Point or could it even be a Check Point (Interoptable Device) manged by a totaly different management plattform. 

Regards

 

 

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

Does vpnd.elg show the errors from sk165003 ? Anyway, to install the newest Jumbos HFAs is suggested by CP for every deployment...

CCSE CCTE SMB Specialist
0 Kudos
maad-pul
Participant

The other end are not patched (according to SK - Jumbo Hotfix Accumulator for R80.30 starting from Take 219 ) and I have not received logs or vpnd.elg from their end. Sorry! 😕 
They have a TAC-case just to verify if the problem is related to the bug or not, but haven´t recieved any feedback from TAC. 
Since weekend we have been falled back to Ikvev1 and the problem have not occurred yet. 

0 Kudos
Danny
Champion
Champion

A 3rd party device is by definition is a non-Check Point device. Otherwise it wouldn't be a 3rd party.

That being said, an externally managed Check Point device can be integrated into your setup as an interoperable device object. I've seen that working several times though the correct way would be to add it as an externally managed Check Point VPN gateway object.

image.png

0 Kudos
the_rock
Authority
Authority

To answer your question, the answer is yes, BUT, probably not fully supported. So, I had seen people in the past use interoperable device object for CP appliance, but as @Danny indicated, by definition, 3rd party is non-CP appliance. Now, technically, if its CP device managed by another mgmt server, then you create externally managed object and that is a way to do it. Would that fix your problem? I have no idea, but its right way of doing it. If that fails, then you can engage TAC to troubleshoot further or run below debugs to check:

vpn debug trunc

vpn debug ikeon

generate traffic

vpn debug ikeoff

fw ctl debug 0

fw ctl debug -x

Check vpnd.elg files, as well as ike.elg in $FWDIR/log directory.

 

Hope that helps.

Andy

0 Kudos