This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2025-02-23 06:48 AM

Something to keep in mind when VPN tunnel is down

Hey guys,

I know these settings in Guidbedit might not always be relevent, specially in newer versions, but I did come across few scenarios lately, in R81.20 as a matter of fact, where we had to go to guidbedit and set below values to false to get VPN tunnel to work:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

I sometimes also check this on the gateway, though this was only problem few times, so probably not a requirement, but also something to consider:

 

gateway object -> other -> connection persistence -> I always check keep all connections

 

Andy

8 Replies
kamilazat
Advisor
‎2025-02-23 10:56 PM

Yes! And this can become a daunting issue when trying to set up a tunnel with 3rd party peers. And if you're unlucky enough, even some TAC engineers forget to think about it and a simple solution as this turns into a repeated debugging and messaging back and forth. 

Or if you pay attention during your studies for CCTE, hopefully it won't become that big of an issue 🙂

the_rock
Legend
Legend
‎2025-02-24 04:18 AM
In response to kamilazat

Well, its good those sort of things dont happen too often these days, but just something to keep in mind, as I mentioned. Thats why we share ideas on here, to help others out 🙂

Andy

0 Kudos
CaseyB
Advisor
‎2025-02-24 07:52 AM

Do you think these still come into play when using granular encryption domains?

the_rock
Legend
Legend
‎2025-02-24 08:03 AM
In response to CaseyB

Hey @CaseyB 

I can only speak from my own experience and here it is 🙂

Ever since R80 came out, I had never seen this issue with Azure, AWS or Fortinet, ONLY with Palo Alto and Cisco. Cant say if thats case with others, but thats what I had observed.

Andy

the_rock
Legend
Legend
‎2025-02-24 06:36 PM
In response to CaseyB

One thing I also found from time to time, depending on 3rd party vendor, is that say even if ONLY subnets are involved, you still may need to select "per gateway" in tunnel management tab of the VPN community.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-02-25 06:53 AM
In response to G_W_Albrecht

All great references @G_W_Albrecht 

0 Kudos
the_rock
Legend
Legend
‎2025-02-25 06:56 AM
In response to G_W_Albrecht

Btw, that last sk, never seen it before, but ran the command in R82 and it worked.

Thank you!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top