Sorry for the delayed response and many thanks for your advice.

It's already running with KPPAK due to non optimal ruleset... 😞 

We already tried to switch off secureXL as well but it did not help, even changing from usermode to kernel mode also not working, I was told that it's not support on 9400 with R81.20 anymore. 

On the old openserver R81.10, it was running with kernel mode. 

Any other ideas? May I know which version & take was working for you? 

Hey Andy, 

Sorry for the delayed response and many thanks for your kind offer. I really appreciate it.

Unfortunately, I am not allowed to do so...

May I know which Gaia OS version and take was working for you?

It's really strange behaviour that we can only see clear text on oneway from R81.10 to R81.20 but not the another way around.

In tcpdump on MPLS interface, we can only see echo reply, when do ping from R81.20 --> R81.10:

tcpdump -nnei bond11.14 host 172.31.55.165 and host 10.64.8.117 -s 0

And between R81.20 GWs, there even is no traffic can be seen on MPLS interfaces, except ESP traffic:

Yes, both R81.20 and R82 as well, latest jumbos.

Just curious, how is tunnel management configured?

The GW is participating 2 communities (star and mesh) but we have tunnel management set like this:

Regarding the RIM, it looks like that it is not fit to our design, as I understand, with RIM - the Routers stays behind Firewall and reroute the traffic once VPN tunnel down, which is completely opposite with what we are trying to achieve by following sk56384. The primary line should be MPLS (routers stay infront of Firewalls and propagate BGP routes to peers), all traffic should be routed to MPLS line as long as the peers having MPLS (some locations has only internet line)

We verified that all the routes are propagated, the traffic is only on MPLS but it's encrypted, which prevent us to do QoS on MPLS routers.

BTW, is it recommend to set Permanent tunnel if we have only Checkpoint GW? Will it be any performance impact if we have 60+ GWs in a community? I am somehow not so clear with this setting, as I tried to set it once then the tunnels became unstable. 

Many thanks in advance!

Best regards,

Andy

Thanks for the detailed explanation @anhht4 . I can tell you from all my experience with building route based tunnels, and I must have done at least 100 of them, that setting for permanent tunnel should not relate to number of gateways in community at all. Now, I always found its best to enable it, along with per gateway setting IF it is indeed route based with BGP involved. Now, if its domain based, then you can still use it, but it would not be as relevant.

See if this post I made last year helps.

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

Many thanks Andy for sharing, I am considering this for our WAN redesign. 

Anyway, TAC is involved and case already escated to R&D, will keep posted.

Cheers,

Andy

Yes, of course!

If you can, I would definitely try tunnel management as per gateway and permanent tunnel option and see if it makes any difference.

Hey Andy,

Any luck with this?

Hey Andy,

Apologies for delayed response. I will try this tonight and get back to you with result. 

Recently, the tunnel was frozen, no traffic passing through over the tunnel event all tunnels were up. After a tunnel reset, it's back to normal. I wonder if we should apply this : sk180956 - Traffic through a VPN tunnel does not flow as expected when "Link Selection probing" and ... for the R81.10 GW. We do have NAT-T enabled on both peers. 

Any advice on this as well?

Many thanks!

BR,

Andy

If the sk applies to your setup, then yes.

Thanks Andy, I have applied the sk and change the tunnel management per your advise, but I still see 11 tunnel with the corresponding peer after policy install and tunnel reset:

I suppose to see only 1 Tunnel, right?

And tcpdump still see 1 way in clear text:

BR,

Andy

I know fw monitor would usually show Oe flag if traffic is enctypted, How many tunnels are supposed to show as up?

I understand if we set per GW then only 1 tunnel should be up but now 11 tunnels are all showing up 😞

For whatever fw monitor flag show, I suppose we can see the traffic in clear text on vpn_trusted interface when doing tcpdump on that specific interface?

BR,

Andy

Thats odd then...just to clarify, ONLY 1 tunnel is supposed to show up? Do you have just 1 centre and 1 satellite gateway?

Yes, it's really strange, we have only 1 centre and 1 satellite :

What time zone are you in? Are you allowed to do remote?

Hey Andy, just DM you ...

BR,

Andy

Just responded.

Hey mate,

Any luck with this?

Hey Andy,

Unfortunately, we have not got any action plan from CP yet. Only some fw monitor that we need to collect for further investigation.

Cheers,

Andy

No problem, keep us posted.

Hey mate,

Any progress?