Hi All,
I have a route-based vpn between a Check Point cluster (R81.20 Take 113) and a FortiGate. The vpn establishes and vpn tu tlist shows correct traffic selectors but tunnel is ‘narrowed’ and traffic from the remote subnet does not arrive.
My TS: 10.53.25.160/28 Peer TS: 192.168.5.0/28
When the local peer sends outbound traffic the Check Point creates an additional tunnel with traffic selectors 0.0.0.0/0 on both side and this tunnel shows as ‘eclipsed’. Logs show outbound traffic is encrypted for the vpn and hits the correct outbound NAT rule translating it to a 10.53.25.x address.
fw ctl zdebug + drop | grep 192.168.5.x shows outbound traffic being dropped with “no MSPI for MSA”.
The FortiGate peer then immediately sends a request to delete the SA –
“Informational exchange: Received delete IPsec SA request”
but the eclipsed tunnel persists until it eventually ages out.
The behaviour of the narrow and eclipsed tunnels is as described in sk166417
There are no overlapping addresses in the encryption domains and other route-based vpns on the Check Point with AWS are working correctly.
Many combinations have been tried for the encryption domains
One tunnel per pair of hosts - does not work and causes repeated failed IKE negotiations
One tunnel per subnet pair – does not work, same result
One tunnel per gateway pair – the only option that works
Any suggestions?
Thank you
| User | Count |
|---|---|
| 22 | |
| 17 | |
| 11 | |
| 8 | |
| 7 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Thu 18 Dec 2025 @ 10:00 AM (CET)
Cloud Architect Series - Building a Hybrid Mesh Security Strategy across cloudsThu 08 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 1: How AI is Reshaping Our WorldThu 18 Dec 2025 @ 10:00 AM (CET)
Cloud Architect Series - Building a Hybrid Mesh Security Strategy across cloudsThu 08 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 1: How AI is Reshaping Our World
