Connecting a Win10 client to corporate VPN through AC3200

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Edbert

Occasional Visitor
Background:
  • A company-owned Win10 laptop with the "Check Point" VPN thick-client
  • RT-AC3200 connected to cable-modem with 3.0.0.4.382_51940-ga3b9d4a firmware
  • No outbound firewall rules (yeah I know)
Problem:
I am able to connect to corporate with no issues, but the performance is poor, particularly for voice Skype/Teams/GoTo/Webex all effected. In working with the firewall support folks (our firewall at the office "hosts" the VPN connections) that I am connecting in "Guest mode" which means it is a IPsec connection over port 443 instead of the normal (GRE?) connection.

Support says to disable my outbound rules, bzzt not it!

I searched the CheckPoint site and this one, and then all of Google to see if there was a known issue sort of thing with no luck. I disabled bandwidth monitor, QOS, and AiProtection while I was trying everything I could think of, none of it mattered, still connecting in guest mode.

I am hoping some of the wizards and gurus here have an idea
 

MichaelCG

Very Senior Member
443 would be TLS mode and my guess is you are having TCP restrans issues. If you got into native mode, it would most likely be IPSEC with UDP encapsulation which will operate much better for voice/media flows over the VPN tunnel. My company doesn't use Checkpoint for VPN but another large provider's. We recently switched over to TLS only due to a compliance issue and I immediately noticed that my voice/media apps started having issues with stuttering and breaking up.

This is unlikely to be your router at fault here. When you encapsulate UDP inside of a TCP session and then there is congestion or packet loss, the TCP wrapper retransmits the lost data. Well when dealing with UDP media flows, it is better to throw away lost data than to retransmit it. So if you have congestion, TCP retransmits, which causes more congestion, which causes more retransmits....well...you see where this is going right?
 

Edbert

Occasional Visitor
This is unlikely to be your router at fault here. When you encapsulate UDP inside of a TCP session and then there is congestion or packet loss, the TCP wrapper retransmits the lost data. Well when dealing with UDP media flows, it is better to throw away lost data than to retransmit it. So if you have congestion, TCP retransmits, which causes more congestion, which causes more retransmits....well...you see where this is going right?

Makes perfect sense, but the remote host is not forcing TLS, with the work-from-home thing we have 900-1,000 people on during business hours, of that total only 5-10 people are getting forced into what Check Point calls guest mode (443/TLS), and the FW support folks think I am blocking outbound ports.

Check Point needs a lot of them too. Most TCP but a few UDP ports from 259 into the really high ranges. I considered completely disabling the routers FW and test, just too scared, even for a few minutes since there's a lot of IoT and Windoze here :)

I enabled logging all on FW and cleared the logs, then logged onto the VPN and see no blocks outbound, but about 5-7 blocks per minute inbound. Think I'll have to ask them to open a case with Check Point.
 

ColinTaylor

Part of the Furniture
Asus (and other home routers) don't block any outbound ports.

Does you router's WAN interface have a public IP address or are you behind another router (or CGNAT)?
 

Edbert

Occasional Visitor
Does you router's WAN interface have a public IP address or are you behind another router (or CGNAT)?
SHows a public address from ISP, it is directly connected via ethernet to Cable modem.

I appreciate the help everyone, I think what I've heard here is enough to rule out my router, at least for firewall. I tried disabling all the Ai and QOS and monitoring stuff too. I just don't think it is me or my equipment, might follow up with ISP (Spectrum) just in case.

Thanks again!
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top