Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lcako
Explorer

Routing Problem

I have the topology in the picture, and the L2TP 192.168.18.100 route is not working, and I can't open the web page. Additionally, the route to IP 10.0.219.246 is not working. I have the PCs in my office that go through the firewall via a Mikrotik port. Strangely, the SAS page on VLAN 249 with IP 10.0.200.249 opens. The other page on VLAN 219, 10.0.219.246:9082, does not open. Both are on the same logic and pass through the same router; only the VLAN changes. Could it be blocked at the port? Is an allow policy needed? The general firewall policy is to allow communication between internal interfaces. I haven't made it strict because I know it blocks everything. The 192.168.18.100:8080 that is blocked seems like the same problem. Maybe the ports need to be allowed? My PC, which goes through the Mikrotik, opens the web page with VPN. However, the PC that goes through the firewall doesn't open it. I suspect the ports are being blocked.

0 Kudos
11 Replies
Duane_Toler
Advisor

First, uncheck "Show inactive routes" so we can see only the active routes.  If you have inactive routes, then you have a routing protocol administrative-distance (metric) problem.  Connected routes override static routes, which override all other routes (unless you have changed the protocol ranking manually).

 

0 Kudos
lcako
Explorer

i put microtik instead of firewall, and it worked with the same routing method. when i put sg1575 firewall it doesnt work. I did your solution and i dont have inactive routes and the problem is still the same

0 Kudos
Duane_Toler
Advisor

Have you checked the gateway firewall logs?  You may have an anti-spoofing problem on some interface.   I also see your default route is via a DMZ VLAN interface; this is unusual.  This interface would need to be an External (Internet) topology for anti-spoofing.

 

0 Kudos
lcako
Explorer

what is strange too is that ip from route in line 9 cam be pinged. also line 8 can be pinged. line 10 , 7 and 6 cannot be pinged. 

0 Kudos
Duane_Toler
Advisor

After you check the logs and anti-spoofing, check the interior router and make sure it has valid return routes via the SMB 1575 gateway.  How is your L2TP client connecting to the network; is it connecting via the SG1575 external interface, or something else?  Check the active routes on the L2TP client to see if the routes are being installed correctly.  You can try traceroute, but this may be ambiguous for an L2TP client, so don't fall into a trap of troubleshooting the wrong problem if traceroute fails.  However, if it works, then that is excellent.

 

If line 9 can be pinged, but others cannot, check the internal router to make sure it has interfaces in "Up" state for those VLANs.  Check the hosts on those VLANs to make sure they can send return traffic via the internal router for your L2TP client (either default route, or something else).

 

0 Kudos
lcako
Explorer

i reconfigured them again and i tried to removed static routes , config OSPF from firewall device/system/tools and i ping all of these ip from LAN 241 i cannot open them. from vlan of pc 241 in firewall i cannot open these ip , mostly web but from firewall i can ping them.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which version/build firmware is this Spark device installed with?

CCSM R77/R80/ELITE
0 Kudos
lcako
Explorer

i reconfigured them again and i tried to removed static routes , config OSPF from firewall device/system/tools and i ping all of these ip from LAN 241 i cannot open them. from vlan of pc 241 in firewall i cannot open these ip , mostly web but from firewall i can ping them

0 Kudos
Chris_Atkinson
Employee Employee
Employee

If a path using L2TP is in the mix have you configured MSS clamping (sk121114) at all?

Again, are you running R81.10.10 firmware (build 996002906) or something else?

Solved: Anti-Spoofing detection - Check Point CheckMates

 

 

CCSM R77/R80/ELITE
0 Kudos
lcako
Explorer

i did ospf routing and i found the solution 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Ok great - what was the solution so others can understand the problem/cause better?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events