Check Point VPN not connecting through a FortiGate unit

‎03-24-2005

Article

Description	The Check Point VPN tunnel is not going through to the FortiGate unit.
Components	Any FortiGate unit Check Point VPN
Steps or Commands	A sniffer trace on the external interface of the FortiGate unit shows the following: Internet Protocol, Src Addr: 20.20.20.20 (20.20.20.20), Dst Addr: 10.10.10.10 (10.10.10.10) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total Length: 112 Identification: 0xa4bd (42173) Flags: 0x00 Fragment offset: 0 Time to live: 237 Protocol: UDP (0x11) Header checksum: 0x08c5 (correct) Source: 20.20.20.20 (20.20.20.20) Destination: 10.10.10.10 (10.10.10.10) User Datagram Protocol, Src Port: 2746 (2746), Dst Port: 50826 (50826) Source port: 2746 (2746) Destination port: 50826 (50826) Length: 84 Checksum: 0x0000 (none) Note that the Length value is 84. The correct value is 92. Eight bytes of the UDP header are missing. Because of this, the checksum is not performed. The trace shows that the returned UDP packets from the Check Point firewall (20.20.20.20) have a miscalculated UDP length. The UDP length value is missing the 8 bytes of the UDP header, and there is also no UDP checksum value. Due to this Check Point problem, the FortiGate unit drops the malformed packets and does not forward them to the internal interface. Therefore the Check Point VPN tunnel is not going through the FortiGate unit.
Solution	Contact Checkpoint. This issue can be solved with NGX R60 from Checkpoint.