CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Cant Ping PC until it Pings you.

  1. #1
    Join Date
    2007-11-01
    Location
    Melbourne, VIC, Australia
    Posts
    7
    Rep Power
    0

    Default Cant Ping PC until it Pings you.

    Hi All.
    We have some issues with PCs with Endpoint E80 installed on Win 7.
    Lets say I am a client on the network wanting IT support.
    IT cannot contact my machine (ping fails along with everything else)
    However, after I force any packet from my PC to the IT Support machine (with ping or anything else), then the connection opens up and they can contact me again.

    I've seen a few similar cases on the net, with specific cases of subnet, router setups, among many others but I think this is different.
    Its not an ARP issue - I can see on my PC in wireshark that ARP requests are answered in both directions. Also, manually adding the arp entry to my machine for the IT PC doesn't help. Also the problem occurs even if the ARP entries are still present.

    I should not at this point that when I boot the PC, it works OK. If I am connected to the company LAN and authenticate with the VPN client (which I have to do to get DMZ access), then the problems start (and remain even after I have disconnected again from Checkpoint).

    I can also see in wireshark on my PC, that the pings are arriving but no replys are sent.

    Its also worth mentioning that I have Symantec Endpoint Protection installed but network security is disabled.
    Also, Windows firewall is disabled.
    Also, I have the option in E80 client to disable network protection. This makes no difference either.

    I checked the client logs and I can see the Echo_Requests coming in, but no replies. Only a few blocked packets in the log - all seem to be broadcasts and not related to the issue.

    Endpoint version E80.41.
    Core ver 8.2.882
    Compliance 8.14.0.4707
    Firewall and app control ver 8.1.000.737
    Remote Access VPN ver 986000037

    We have a number of people suffering from this - anyone that can shead some light - please do.

    P.S. I should have mentioned that in this test case, both PCs are in the same subnet connected via the same switch. (subnet masks correct etc)
    Last edited by maxaha1; 2015-03-02 at 22:33. Reason: Add more info.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    6

    Default Re: Cant Ping PC until it Pings you.

    Hi mate,

    Pretty lengthy explanation so far, still do mention:
    - the trouble PC uses a remote VPN solution to connect to "the Intranet"?
    - what network, connectivity solution does the IT use? Are they behind a network segment of the firewall or are they using a VPN remote client solution, too?

  3. #3
    Join Date
    2007-11-01
    Location
    Melbourne, VIC, Australia
    Posts
    7
    Rep Power
    0

    Default Re: Cant Ping PC until it Pings you.

    The problem PC (as standard in our org) uses Checkpoint endpoint E80 for mobile VPN access.
    IT uses it also for mobile. But generally for IT support, they are located on the intranet without any VPN software installed.
    Not sure if that answers your question.

    Thanks

  4. #4
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    6

    Default Re: Cant Ping PC until it Pings you.

    Quote Originally Posted by maxaha1 View Post
    The problem PC (as standard in our org) uses Checkpoint endpoint E80 for mobile VPN access.
    IT uses it also for mobile. But generally for IT support, they are located on the intranet without any VPN software installed.
    Not sure if that answers your question.

    Thanks
    Good, so let's go further on this:
    - trouble PC connects using a mobile VPN solution and it receives an IP; are you using a dedicated network segment for the VPN IP pool or is that VPN clients are using an extension of one of your intranet networks?
    - the moment client gets connected can you see that event in the VPN user monitor?
    - what about routing table? is there any change whenever a VPN client is connected? I know Cisco adds a static route for each connected client, how does CP handle this?

  5. #5
    Join Date
    2007-11-01
    Location
    Melbourne, VIC, Australia
    Posts
    7
    Rep Power
    0

    Default Re: Cant Ping PC until it Pings you.

    Hi laf_c

    I think maybe you missed the bit where this issue occurs after disconnection.
    So example.
    My test 'client' is on 10.100.0.1
    When I connect to VPN (while the PC is still LAN connected), I get an office mode address in a diff subnet - 10.240.1.1 (Its the same situation if the PC is out on the internet).
    I can still ping the client PC from a server or any other PC on the lan/wan - as it should. That's the idea of VPN. But forget this for the moment.
    Now the PC is still LAN connected and I disconnect from the VPN.
    The ethernet card still has the same IP it had all along. The VPN client has removed all the routes it added for the VPN session.
    The only difference is that the client PC cannot be contacted. It works fine except that to the rest of the network it doesn't exist.
    It will not reply to any IP requests until someone or something on the client PC pings the other device first.
    I checked the routing tables and it is as it should be.

    Strange thing though is that putting the PC to sleep and waking again, restores the inbound connectivity.

  6. #6
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    6

    Default Re: Cant Ping PC until it Pings you.

    Quote Originally Posted by maxaha1 View Post
    Hi laf_c

    I think maybe you missed the bit where this issue occurs after disconnection.
    So example.
    My test 'client' is on 10.100.0.1
    When I connect to VPN (while the PC is still LAN connected), I get an office mode address in a diff subnet - 10.240.1.1 (Its the same situation if the PC is out on the internet).
    I can still ping the client PC from a server or any other PC on the lan/wan - as it should. That's the idea of VPN. But forget this for the moment.
    Now the PC is still LAN connected and I disconnect from the VPN.
    The ethernet card still has the same IP it had all along. The VPN client has removed all the routes it added for the VPN session.
    The only difference is that the client PC cannot be contacted. It works fine except that to the rest of the network it doesn't exist.
    It will not reply to any IP requests until someone or something on the client PC pings the other device first.
    I checked the routing tables and it is as it should be.

    Strange thing though is that putting the PC to sleep and waking again, restores the inbound connectivity.
    I see this more two ways then:
    - a bug related to the VPN client that wreaks your machine network protocol stack when disconnecting you can tackle by doing the same thing on another workstation, same OS.
    - an already damaged client network protocol stack that should be solved with an OS repair or fresh install

  7. #7
    Join Date
    2013-10-08
    Posts
    10
    Rep Power
    0

    Default Re: Cant Ping PC until it Pings you.

    hi Hardy,

    After joining the vpn, can you check the route on your PC by netstat -rn at that time?

Similar Threads

  1. Pings from firewall cluster
    By MasterX in forum Miscellaneous
    Replies: 2
    Last Post: 2011-08-30, 17:33
  2. Intermittent ICMP Pings fail on VSX VS
    By sisu-up in forum VPN-1 VSX
    Replies: 1
    Last Post: 2010-05-07, 16:10
  3. ICMP Pings are not being redirected
    By zeffy in forum Versions Of Firewall-1/VPN-1
    Replies: 2
    Last Post: 2008-09-14, 14:46
  4. Delay before pings start when default route is inplace
    By stacy99 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2007-11-01, 14:15
  5. ext vip address showing for internal pings
    By tandrews in forum Dynamic Routing
    Replies: 4
    Last Post: 2006-08-01, 18:59

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •