Platform: 26000 VSX
OS: R80.30 3.10 Take 155
Please consider the following network design. Interface names are simplified for the sake of clarity.
Both VS have mutual static routes for SRC and DST pointing to each other's end of the VSWITCH and there's traffic flowing in both directions.
Now the issue: an application is hosted in VS2. End-users from VS1 launch a java client that connects on a custom port (this is an in-house program) to the server in VS2. For some reason, traffic is classified as SSLv3 at the application level, maybe because of the content of the connection, but is still accepted in the logs (both Security and Application policies allow that flow), but the application never connects. I also get the Alert in the logs stating that the domain can't be resolved and I should check my DNS configuration.
fw monitor shows that we don't go further than "i" on VS1 even though it shows as accepted in the tracker.
Disabling SecureXL on VS1 immediately solves the issue and the application launches with a flurry of iI-Oo in FW monitor.
I will upgrade the VSX to Take 191 in the coming days and report if it solves the issue, but I don't know if others here would have seen a similar problem and have a suggestion. The setup itself isn't new, it has been migrated to a 26K-base a few months back and according to the customer, this issue appeared a few days ago.
| User | Count |
|---|---|
| 14 | |
| 12 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 2 |
Thu 02 May 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?Thu 02 May 2024 @ 04:00 PM (CEST)
CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WANThu 02 May 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?Thu 02 May 2024 @ 04:00 PM (CEST)
CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
