This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Charnon
Advisor
‎2021-11-23 07:18 AM

S2S VPN issue with R80.40 JHFA Take 126

Hi everyone,

I have VPN star community with Check Point R80.40 clustered gateway as center gateway, with 21 Check Point 1430s (locally managed) as satellite gateways. Since applying JHFA Take 126 to the center gateways, one of the VPN tunnels fails to establish from the center gateway to the satellite. The only unique aspect of this satellite gateway is that its "outside" address is NAT'd. In every other way it is configured the same as the 20 other satellite gateways, which still have VPN tunnels successfully established. The satellite gateways are running Gaia R77.20.87 (990173083).

I see JHFA take 126 has a few fixes for NAT-T issues, so I am thinking this is the cause. I do have a support case open, but TAC has been...busy? While I am waiting for them to respond, I thought I'd check in with the community to see if anyone else has a similar scenario.

-Dave

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2021-11-29 12:31 PM

What JHF were you running previously?

0 Kudos
David_Charnon
Advisor
‎2021-11-29 12:50 PM
In response to PhoneBoy

I was previously running on Take 102

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-11-29 11:37 PM
In response to David_Charnon

Hi @David_Charnon,

 

Can you please a bit share more info about the topology? is the Cluster with JHF 126 is behind NAT and doing VPN against SMB device?

0 Kudos
David_Charnon
Advisor
‎2021-11-30 05:45 AM
In response to Ilya_Yusupov

The cluster with JHF 126 is NOT behind a NAT. The SMB device is behind a NAT. The cluster with JHF 126 is 20 or so other S2S VPNs with other SMB devices that are not behind NATs, it is only this one device that is behind a NAT and which the tunnel is failing to establish.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-11-30 06:01 AM
In response to David_Charnon

@David_Charnon ,

 

Do you see any outputs in dmesg? Any drops under fw ctl zdebug + drop?

i guess the NAT device that doing NAT for the SMB is not CP device, correct?

0 Kudos
David_Charnon
Advisor
‎2021-11-30 06:05 AM
In response to Ilya_Yusupov

The device doing NAT for the SMB is a Check Point device, but not managed by me. I've uploaded VPN debugs to my case, but support has yet to respond...

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-11-30 06:17 AM
In response to David_Charnon

can you share the case number?

Do you know if the NAT device was also upgrade to this JHF?

0 Kudos
David_Charnon
Advisor
‎2021-11-30 07:34 AM
In response to Ilya_Yusupov

Case number is 6-0003061866.

The NAT device is on R80.20 with JHFA Take 141. It has not been updated recently.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-11-30 08:30 AM
In response to David_Charnon

@David_Charnon  - Thank You, i will review it and do my best to push it so you can get answers from support.

0 Kudos
David_Charnon
Advisor
‎2021-12-06 10:55 AM
In response to Ilya_Yusupov

After working a bit with support, I reverted one gateway in the central cluster to JHFA Take 102. When I made that gateway the active, the tunnel came up. Switching the active back to gateway with Take 126, the tunnel failed to come up. I will be sending support more logs soon.

0 Kudos