AnsweredAssumed Answered

site to site VPN troubleshooting without monitoring blade

Question asked by 7d00e9ed-fd15-4c85-8811-ca5feab8063a on Oct 15, 2018
Latest reply on Oct 16, 2018 by 7d00e9ed-fd15-4c85-8811-ca5feab8063a

Checkpoint 80.10 has several VPN are up and working fine.


There is a problem a VPN to a paloalto firewall. The VPN is up but can't send or receive traffic. There is no monitor blade licence so troubleshooting options are limited.


1. "vpn tu" command shows tunnels are up.

2. fw.log shows icmp traffic from local to peer going out (description "Encrypted in community")

3. fw.log shows icmp traffic from peer to local coming in (description "Decrypted in community")


Yet the peer firewall team say nothing is hitting their side over the tunnel and neither side gets a ping reply.


100% confirmed all the usual phase 1, phase 2, IKE v1, main mode, preshared key, firewall rules, encryption domains etc.


No problem with VPNs to any other firewall (Cisco ASA, Sonicwall, Watchguard).