- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: S2S VPN issue with R80.40 JHFA Take 126
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S2S VPN issue with R80.40 JHFA Take 126
Hi everyone,
I have VPN star community with Check Point R80.40 clustered gateway as center gateway, with 21 Check Point 1430s (locally managed) as satellite gateways. Since applying JHFA Take 126 to the center gateways, one of the VPN tunnels fails to establish from the center gateway to the satellite. The only unique aspect of this satellite gateway is that its "outside" address is NAT'd. In every other way it is configured the same as the 20 other satellite gateways, which still have VPN tunnels successfully established. The satellite gateways are running Gaia R77.20.87 (990173083).
I see JHFA take 126 has a few fixes for NAT-T issues, so I am thinking this is the cause. I do have a support case open, but TAC has been...busy? While I am waiting for them to respond, I thought I'd check in with the community to see if anyone else has a similar scenario.
-Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What JHF were you running previously?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was previously running on Take 102
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @David_C1,
Can you please a bit share more info about the topology? is the Cluster with JHF 126 is behind NAT and doing VPN against SMB device?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cluster with JHF 126 is NOT behind a NAT. The SMB device is behind a NAT. The cluster with JHF 126 is 20 or so other S2S VPNs with other SMB devices that are not behind NATs, it is only this one device that is behind a NAT and which the tunnel is failing to establish.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see any outputs in dmesg? Any drops under fw ctl zdebug + drop?
i guess the NAT device that doing NAT for the SMB is not CP device, correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The device doing NAT for the SMB is a Check Point device, but not managed by me. I've uploaded VPN debugs to my case, but support has yet to respond...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share the case number?
Do you know if the NAT device was also upgrade to this JHF?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Case number is 6-0003061866.
The NAT device is on R80.20 with JHFA Take 141. It has not been updated recently.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@David_C1 - Thank You, i will review it and do my best to push it so you can get answers from support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After working a bit with support, I reverted one gateway in the central cluster to JHFA Take 102. When I made that gateway the active, the tunnel came up. Switching the active back to gateway with Take 126, the tunnel failed to come up. I will be sending support more logs soon.