One Armed MX Behind a Checkpoint

Here to help

One Armed MX Behind a Checkpoint

I am working with an MX 100 that has been configured in One Armed Mode behind a Checkpoint Firewall, with Hide Behind Nat.  The MX is unable to form autovpn connections,


  • NAT type: Unfriendly. This security appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rulesThat is the message from the VPN status page.  Not sure what would be causing this on the Checkpoint.
Kind of a big deal
Kind of a big deal

Configure a port forward on your Checkpoint to the MX.  Then go:

Security Appliance/Site-to-Site VPN

Set "NAT Traversal" and put in the details (details below made up):


Screenshot from 2017-12-01 08-39-02.png

Meraki Employee
Meraki Employee

In addition to the input from @PhilipDAth also make sure everything is good with your firewall rules.  In particular, the MX appliances on both sides will need outbound UDP 9350 to talk to the VPN Registry.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.