This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jtorella-chsli
Participant
‎2021-01-22 10:30 PM

IPSEC phase2 per subnet still creating per host

I have a GAIA R77.30 gateway.  We recently upgraded our management station to R80.40.  Since then we are noticing that tunnels that we have created for per subnet are having issues.  When we examine the logs we noticed that the gateway is actually attempting to create a per host tunnel.  We are noticing multiple SA's in phase 2 when we should only see one since all our clients are on the same /24 network.  Does anyone have any suggestions.

Thank you for whatever help you can offer.

6 Replies
PhoneBoy
Admin
Admin
‎2021-01-22 10:43 PM

Could be this issue: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

jtorella-chsli
Participant
‎2021-01-23 07:01 PM
In response to PhoneBoy

Hi Phoneboy,

Thank you but we are not using exclusions in our encryption domain for this community,  We created a group with just the subnets that are needed in the encryption domain.  We did try "One tunnel per gateway pair" with no luck.  This problem seem to only start when we updated our management station to R80.40 and the gateways are still R77.30.   Could there be an incompatibility between the management station and gateways?  Also I know that the management station R80.40 supports "user defined" domain for each community but does the R77.30 gateways support it?  When I pushed policy I didn't get any errors so i assumed it works. 

PhoneBoy
Admin
Admin
‎2021-01-23 07:12 PM
In response to jtorella-chsli

R80.40 can manage R77.30 gateways.
However, R77.30 is End of Support.

As far as I know, the VPN Domain Per Community feature does not require gateways to also be on R80.40+.
However, at least for SMB appliances running R77.20.x, it doesn't appear to work: https://community.checkpoint.com/t5/General-Topics/R80-40-Question-about-encryption-domain-per-VPN-c... 

You can open a TAC case here, but support will only be provided on best-effort basis.
Upgrading to a supported release is definitely recommended.

0 Kudos
jtorella-chsli
Participant
‎2021-01-24 10:09 AM
In response to PhoneBoy

Thanks.  We did open a TAC case already and they cant explain it either.  We have it set to per subnet but it is clearly doing per host.  As a temporary fix we asked our partner to set their side (ASA) to per host and things are working.  Our partner does want to leave the tunnel as per host permanently and would like us to resolve so they can set it back to per subnet.  We will continue to push TAC to looking it further.  Thanks for your help.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-01-23 08:08 PM

Hi,

 

Could you share example of the log where this happens? Yes, there are some supernetting guidbedit things that changed in R80, compared to before in R77. There is also file on mgmt server called crypt.def for excluding certain IP ranges, but does not sound you even have that configured. Is it only one tunnel with this issue or multiple? If its one, you can simply reset it via vpn tu command on gateway, but if its multiple, sounds like it could be global issue. Happy to do remote session and see if I can help you fix it.

 

Andy

Best,
Andy
CheckPointerXL
Advisor
Advisor
‎2023-07-20 06:55 AM

i all, anyone did fix this issue?

this is causing random outage to traffic flow inside the vpn in a one-direction way:

 

peersa1.JPG

 

r81.10 t79

the fix is not the one in sk39679

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events