This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amir_Arama
Advisor
‎2022-02-03 11:46 AM

GWs decided on NAT-T while they have no nat device in the middle

Jump to solution

hi

we have two GWs which having site to site vpn.

they located in different geographic location, but they have Layer 2 line, so they basically see each other by arp.

so let's say 192.168.1.2/29 and 192.168.1.6/29 (and by these addresses they know each other as peers)

for some reason, instead of using ESP over proto:50, they are deciding to use NAT-T

i can't figure out why. and i was hoping to fix it, to save the double encapsulation. is there a way to understand what is behind this decision?

thanks

gws are single gws with r80.40 latest take. managed by the same mgmt, share the same vpn community.

0 Kudos
1 Solution

Accepted Solutions
Amir_Arama
Advisor
‎2022-02-03 12:23 PM

Jump to solution

ok

i found some sk165003

so i just tried to change the interface that facing the other gw to be configured as EXTERNAL, and it solved it. can't say i understand why it matters for now. and if it's must for the esp.

good night

View solution in original post

4 Replies
the_rock
Champion
Champion
‎2022-02-03 11:59 AM

Jump to solution

Are you saying this worked fine before and it just happened with no change? It makes no sense for nat-t, if there is nothing in the middle...you may see that for vpn clients connection, but thats different.

0 Kudos
Amir_Arama
Advisor
‎2022-02-03 12:23 PM

Jump to solution

ok

i found some sk165003

so i just tried to change the interface that facing the other gw to be configured as EXTERNAL, and it solved it. can't say i understand why it matters for now. and if it's must for the esp.

good night

the_rock
Champion
Champion
‎2022-02-03 12:25 PM
In response to Amir_Arama

Jump to solution

k, good to know!

0 Kudos
Swordfish
Contributor
‎2022-02-04 01:16 AM

Jump to solution

A few month ago we had the same issue (R80.40) without changing anything. We had a site2site VPN running for a long time without NAT-T. Suddenly, whenever our Check Point wants to initiate the tunnel, it used NAT-T and the remote site (Cisco ASA) rejected this attempt, because there was no NAT-T device in place.

One of our gateways crashed a few hours before the issue occurred for the first time, due to a memory error in the kernel. So we had TAC and R&D involved but nobody could find the cause for this NAT-T issue. The memory error got patched but still, our Check Point Gateways always tried to use NAT-T. So we ended up rebooting BOTH nodes at the same time, so no connection etc. could be synced back.

Turns out, this solved our issue. So the crash caused by the memory error, seemed to cause this NAT-T issue.