CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Need urgent help on unique issue

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Need urgent help on unique issue

    Hi Guys,

    I am scratching my head since last two days and about to give up. My SecuRemote client is somehow not working or gets disconnected in 5 seconds from broadband or from private subnets which are getting natted to connect to my firewall. But whenever I connect throgh 3G Dongle or USB modem it just connects fine and stays on.

    I have a Gaia R77.20 firewall with VRRP cluster. The smart view tracker shows my private IP as source IP and later I see tunnel_test failed.

    Have any one found this issue before or ware of the answer??

  2. #2
    Join Date
    2014-09-04
    Location
    Johannesburg, South Africa
    Posts
    10
    Rep Power
    0

    Default Re: Need urgent help on unique issue

    I would check the following:

    1. Do the private ranges your clients connect from overlap with your internal encryption domain or IP scheme? If so then odds are they won't be able to make a successful connection from the private IP range as the client will think that the destination is local instead of VPN-routable.

    2. What is the main IP of your gateway (the IP in the general section). This should be the external address on the internet. If not, change it to the external address or use link selection to force it to use the external address.

    3. Make sure you don't have a conflicting route on your gateway that routes the private IP space into the network. Some administrators like adding summarized routes onto the firewall to route all private traffic internally. If such a route exists, the tunnel tests would fail as the gateway would route the traffic the wrong direction before trying to encrypt it.

    Let us know what you find.

    Matt

  3. #3
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: Need urgent help on unique issue

    FYI: SecureClient & Office Mode will resolve most of the above.

  4. #4
    Join Date
    2014-09-04
    Location
    Johannesburg, South Africa
    Posts
    10
    Rep Power
    0

    Default Re: Need urgent help on unique issue

    Agreed but that's not free :-). OM is always the best option if you have a license that covers it.

  5. #5
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Need urgent help on unique issue

    Thnks MOdendaal..

    Here is my scenario. I do have cluster which sits behind Internet Link Balancer hence firewall does not have Public IP interface or routable IP address. There is a private segment configured between Link Balancer and Firewall.

    And nah I dont have summarized route on firewall but you correctly said I do not have OM/SecureClient licenses hence struggling with SecuRemote.

    Any other option?

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: Need urgent help on unique issue

    Quote Originally Posted by blason View Post
    Thnks MOdendaal..

    Here is my scenario. I do have cluster which sits behind Internet Link Balancer hence firewall does not have Public IP interface or routable IP address. There is a private segment configured between Link Balancer and Firewall.

    And nah I dont have summarized route on firewall but you correctly said I do not have OM/SecureClient licenses hence struggling with SecuRemote.

    Any other option?
    On the firewall object under IPSec VPN...Link Selection ensure you have "Always use this address..Statically NATed IP" and type in the firewall's outside, routable NAT address provided by the load balancer. The Link Selection screen tells the client what IP address to send tunnel tests to and will most certainly fail in your scenario if not configured properly. Also you need to ensure that the load balancer at a minimum is allowing inbound connections to the firewall via its NAT address for:

    UDP/500
    IP Protocol 50/ESP
    UDP 4500
    UDP 2746 (may not be needed)
    256/tcp

    That should be all you need just for SecureRemote, SecureClient would need a few more ports.

Similar Threads

  1. issue building VPN's to my site due to vpn domain - Urgent
    By carl_t in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2013-09-19, 10:43
  2. R65-R71.30 upgrade issue on UTM 1070, urgent help
    By avilT in forum Installing And Upgrading
    Replies: 1
    Last Post: 2011-06-04, 01:20
  3. HFA and License Issue -Very Urgent
    By vijay_vya in forum Licensing
    Replies: 2
    Last Post: 2010-07-08, 03:48
  4. Another urgent issue for the Nokia guys
    By Routerkid1 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2008-10-20, 01:27
  5. NAT Issue - Urgent
    By 1q2w3e in forum Topology Issues
    Replies: 7
    Last Post: 2006-11-27, 07:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •