CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: VPN advertising wrong subnet to the peer and traffic getting dropped

  1. #1
    Join Date
    2017-09-21
    Posts
    34
    Rep Power
    0

    Default VPN advertising wrong subnet to the peer and traffic getting dropped

    Greetings


    Our checkpoint VPN has a VPN to client ASA and Security Association is failing to get established.
    As a result I am seeing error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

    Upon checking, it looks like our local subnet which is a /22 is being advertised to the peer as /16 (summarized), but they are expecting traffic from /22 subnet.

    Is there a way we can define the local encryption domain just for the ASA VPN peer to make sure they receive our subnet as /22 and not /16?

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,622
    Rep Power
    9

    Default Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    You can override using sk108600 - see Scenario 1. see subnet_for_range_and_peer.

    Note its something you'll want to document in some method as it won't show up in dashboard.

  3. #3
    Join Date
    2017-09-21
    Posts
    34
    Rep Power
    0

    Default Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    Quote Originally Posted by jflemingeds View Post
    You can override using sk108600 - see Scenario 1. see subnet_for_range_and_peer.

    Note its something you'll want to document in some method as it won't show up in dashboard.
    Thank you, i will give it a try.

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    236
    Rep Power
    12

    Default Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    Quote Originally Posted by jflemingeds View Post
    You can override using sk108600 - see Scenario 1. see subnet_for_range_and_peer.

    Note its something you'll want to document in some method as it won't show up in dashboard.
    In general, I would just use GuiDBEdit to set ike_use_largest_possible_subnets to false. That disables supernetting globally. Then it negotiates exactly what you specify in the Dashboard for all peers.
    Zimmie

  5. #5
    Join Date
    2017-05-26
    Posts
    17
    Rep Power
    0

    Default Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    is it possible to disable "supernetting" only for 3rd party VPN devices, but keep "supernetting" enabled with Check Point Security Gateways ?

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,622
    Rep Power
    9

    Default Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    Quote Originally Posted by checkpoint1 View Post
    is it possible to disable "supernetting" only for 3rd party VPN devices, but keep "supernetting" enabled with Check Point Security Gateways ?
    yes, see same SK. sk108600

  7. #7
    Join Date
    2017-05-26
    Posts
    17
    Rep Power
    0

    Default Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    Quote Originally Posted by jflemingeds View Post
    yes, see same SK. sk108600
    I think below is the correct one.


    The improvement comes to make possible disabling "supernetting" only for 3rd party VPN devices, but keep "supernetting" enabled with Check Point Security Gateway [sk101219]
    https://supportcenter.checkpoint.com...ionid=sk101219

Similar Threads

  1. encryption failure: wrong peer gateway for decrypted packet (vpn error code 01)
    By hebertmartin in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2017-08-17, 15:21
  2. two peer gateways in vpn community with same subnet
    By mark weaver in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-04-08, 10:34
  3. Dropped Traffic: Dropped traffic between nodes
    By mhernandez in forum Miscellaneous
    Replies: 0
    Last Post: 2011-03-22, 13:45
  4. Directing traffic to another subnet via a VPN
    By matriceli in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 13
    Last Post: 2008-08-18, 09:56
  5. VPN traffic being dropped
    By rubber_chicken in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2006-10-10, 20:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •