Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Charnon
Advisor

S2S VPN issue with R80.40 JHFA Take 126

Hi everyone,

I have VPN star community with Check Point R80.40 clustered gateway as center gateway, with 21 Check Point 1430s (locally managed) as satellite gateways. Since applying JHFA Take 126 to the center gateways, one of the VPN tunnels fails to establish from the center gateway to the satellite. The only unique aspect of this satellite gateway is that its "outside" address is NAT'd. In every other way it is configured the same as the 20 other satellite gateways, which still have VPN tunnels successfully established. The satellite gateways are running Gaia R77.20.87 (990173083).

I see JHFA take 126 has a few fixes for NAT-T issues, so I am thinking this is the cause. I do have a support case open, but TAC has been...busy? While I am waiting for them to respond, I thought I'd check in with the community to see if anyone else has a similar scenario.

-Dave

0 Kudos
10 Replies
PhoneBoy
Admin
Admin

What JHF were you running previously?

0 Kudos
David_Charnon
Advisor

I was previously running on Take 102

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @David_Charnon,

 

Can you please a bit share more info about the topology? is the Cluster with JHF 126 is behind NAT and doing VPN against SMB device?

0 Kudos
David_Charnon
Advisor

The cluster with JHF 126 is NOT behind a NAT. The SMB device is behind a NAT. The cluster with JHF 126 is 20 or so other S2S VPNs with other SMB devices that are not behind NATs, it is only this one device that is behind a NAT and which the tunnel is failing to establish.

0 Kudos
Ilya_Yusupov
Employee
Employee

@David_Charnon ,

 

Do you see any outputs in dmesg? Any drops under fw ctl zdebug + drop?

i guess the NAT device that doing NAT for the SMB is not CP device, correct?

0 Kudos
David_Charnon
Advisor

The device doing NAT for the SMB is a Check Point device, but not managed by me. I've uploaded VPN debugs to my case, but support has yet to respond...

0 Kudos
Ilya_Yusupov
Employee
Employee

can you share the case number?

Do you know if the NAT device was also upgrade to this JHF?

0 Kudos
David_Charnon
Advisor

Case number is 6-0003061866.

The NAT device is on R80.20 with JHFA Take 141. It has not been updated recently.

0 Kudos
Ilya_Yusupov
Employee
Employee

@David_Charnon  - Thank You, i will review it and do my best to push it so you can get answers from support.

0 Kudos
David_Charnon
Advisor

After working a bit with support, I reverted one gateway in the central cluster to JHFA Take 102. When I made that gateway the active, the tunnel came up. Switching the active back to gateway with Take 126, the tunnel failed to come up. I will be sending support more logs soon.

0 Kudos