Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wesley_van_der_
Participant

ESP traffic dropped by remote party

Hi CheckMates,

 

In a Cluster environment (R80.30) we have a new internet connection and our first task is to migrate the VPN's to the second internet connection. We succesfully did that for multiple VPN's now, but only 2 VPN's have the same issue. I have to say that the new internet connection is a little bit special, since the IP addres of the external interface is used for a transit network with our ISP. The real public IP is on another interface and the ISP routes it to the firewall cluster.

For the last 2 VPN's, we do get succesfully a P1 and P2. Also the remote party is able to sent traffic to us. We can see that traffic in the logs getting decrypted and confirmed that with a packet capture on the Check Point. Unfortunately all the traffic we sent to the remote party, is dropped on the Cisco ASA because the ESP traffic is received on the side from our new external interface ip (the ip used for transit between our Check Point and ISP). 

So this is a legitimate reason to drop our traffic of course. But how can we force the Check Point to sent ESP packets with the right source ip adres? Why do only have 2 of the 7 VPN's this issue? 

I first thought that it had something to do with routing or link selection. But if that is the case, I do not understand why this setup works for the other 5 VPN's.

Thank you in advance!

Regards,

Wesley

6 Replies
This widget could not be displayed.