This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Himsha
Explorer
‎2023-06-26 09:40 PM

VTI tunnel not working

I have two firewall. one is 6200 and other 1500 SMB appliance. I have created a VTI tunnel but the tunnel is not working.

I have created simple group for vpn domain. But on SMB it can't fetch topology properly as you can see in image I have attached.

why it can't fetch the VPN reomte peer ip address?

Preview file
33 KB
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-06-27 01:12 PM

What is the 6200 running (Version/JHF)?
What firmware is the 1500 running?
Are both of these gateways managed by the same management? (If so, what version/JHF is managing it)
You created a VTI tunnel: following what instructions, exactly?
"I have created simple group for VPN domain" ok, but where was this configured?
"Tunnel is not working"

  • How did you attempt to test it?
  • How did you determine it "failed"?

Please provide precise troubleshooting steps taken with errors provided.

It's not clear to me if Fetch Topology should fetch the "remote IP" for the VTI peer.
You should enter that manually if it is not being fetched.
If you want to "fix" Fetch Topology, I recommend a TAC case: https://help.checkpoint.com 

0 Kudos
Himsha
Explorer
‎2023-06-27 09:53 PM
In response to PhoneBoy

the 6200 series running version is R81.10 JHF 95 and 1500 series version is R81.10.05.

Both gateways are managed by separate management server. Both have running version is R81.20 JHF 10.

And 6200 series appliance are in cluster.

VTI interface topology.........

I created VTI 18. For cluster I assigned IP address....   VIP- 169.254.180.15, GW1- 169.254.180.11, GW2- 169.254.180.9

For SMB 1500 series VTI IP is 169.254.180.10

For testing purposes I run the command VPN TU TLIST and it shows NO outbound SA error.

I can't enter manually maybe it fetch automatically from the firewall.

 

 

Preview file
15 KB
0 Kudos
SSlater
Employee
Employee
‎2023-06-28 04:16 PM
In response to Himsha

I don't think that a TAC case is warranted for first time implementations. --- Account Managers, and Sales Engineers on your team should be able to assist, or connect you with PS for assistance.

 

A few points I noticed:

- Your interfaces are set to DHCP Ranges? They should be routable.

- If the SMB Device doesn't have a static IP, ensure you have some kind of DynDNS so that we can reach it reliably, otherwise tunnel will only be reliably initiated from SMB side.

- If you've followed all the steps outlined in the Admin Guide, make sure you have routes set up.. VTI's are not community based, and will require the traffic to be actually routed out that interface.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/VPN-Tun...


https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/IPv4-St...

0 Kudos
Himsha
Explorer
‎2023-06-29 10:38 PM
In response to SSlater

Thanks for your support. the issue is resolved.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-30 01:31 PM
In response to Himsha

How did you resolve the issue?

0 Kudos
Himsha
Explorer
‎2023-07-02 10:32 PM
In response to PhoneBoy

I'm still not getting VPN  peer IP address on topology page but tunnel is working.

On the VPN domain page I have All IP addresses behind Gateway to I have selected user defined. In which I have selected empty Group and then I published and install the policy and its working.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-03 12:45 PM
In response to Himsha

An empty encryption domain is normal for route-based VPNs.

0 Kudos
Himsha
Explorer
‎2023-07-11 02:31 AM
In response to PhoneBoy

I know that @PhoneBoy I have empty group in VPN communities on both sides but empty group is not defined on VPN domain. When I defined empty group in vpn domain and install the policy and it worked.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events