This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ninjawalsh
Explorer
‎2024-02-16 01:05 PM

R81.20 VSX VTI routing

Hi ,

This my first post so apologies if I don't follow the expected etticate while I get used to the forum.

 

Anyway the  issue  I have created a routed VPN to Azure for our orgs new  Remote client VPN . As I can see the VTI tunnels are working . However , outbound traffic routes to the wrp external interface . The logs stat traffic is encrypted by the community. Also traffic does get to the Azure infrastructure.  The reason for my post is the logs for inbound traffic from the Azure side show the traffic hitting the VTI tunnel .

Is this normal behaviour ?

0 Kudos
1 Reply
the_rock
Legend
Legend
‎2024-02-18 04:09 PM

Let me take a "stab" at it, as the saying goes. So, Im fairly experienced with tunnels to Azure, I had helped lots of customers with it, plus had done extensive testing in the lab as well.

So, I have some question for ya.

1) is this numbered or unnumbered VTI?

2) Regardless what answer is to question1 (though it is somewhat important), can you please share how the route is configured for the subnet on Azure side? (please blur out any sensitive info)

3) As far as topology in smart console, this is SUPER IMPORTANT and it has to be correct...make sure anti-spoofing is disabled and actual remote peer matched EXACTLY how its configured in smart console interoperable object.

4) Is remote peer external IP added to be exmpred for anti spoof checks on external interface? Because if not, it should be

5) Do you have a route to external IP of the peer with default gateway of your upstream router IP?

Thats all I can think of for now.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events