This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pyiephyohtay
Contributor
‎2023-08-17 11:52 PM

Ping Request time out under vpn to azure issue

Dear Team,

I am facing intermittent 'Ping Request Timeout' issues within an IPsec VPN connection with Azure. The tunnel is connected. Currently, we are monitoring the VPN tunnel using ICMP ping from our on-premise Zabbix server to Azure VMs.

Initially, I attempted the following method: I set the Encryption setting to 'Default Encryption (Most Compatible)' on the Checkpoint Appliance 1880 SMB (on-premise), and on the Azure side, I also used the 'Default (IPsec/IKE) policy'. This resulted in a successful 'Tunnel is connected' status.

The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.

Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.

Initially, I observed that I could access Azure resources using ping, RDP, and SSH from the on-premise network. However, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.

As a next step, I decided to change the Default Encryption setting to a custom encryption value for both Phase 1 and Phase 2. I configured Phase 1 with AES-256, SHA-256, and DH2, and Phase 2 with AES-256, SHA-256, and PFS2 on both the Checkpoint appliance and the Azure side. This resulted in a successful 'Tunnel is connected' status.

The on-premise subnets, 10.101.0.0/16 and 10.102.0.0/16, already have security policies allowed in the Azure configuration.

Azure VNet subnets, 10.10.0.0/16, 10.11.0.0/16, and 30.203.243.64/28, also have security policies allowed in the on-premise Checkpoint firewall.

However, the problem persisted. Initially, I could access Azure resources using ping, RDP, and SSH from the on-premise network. Nevertheless, after approximately 6 hours, ICMP monitoring failed from Zabbix to Azure, and none of the subnet networks could reach the cloud.

Please kindly see the attached information

Thanks to all.

Preview file
23 KB
Preview file
49 KB
0 Kudos
1 Reply
G_W_Albrecht
Legend
Legend
‎2023-08-18 01:14 AM

Does taking tunnel down and up again resolve it for a while? Where on the way do the ICMP packets get dropped ? Consult logs and sniffer.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events