Hi all!
Wanted to seek your insights on a strange issue we’ve encountered... Some of our offices are running on MX250, while our Azure side uses a Checkpoint firewall.
The problem we have is - for the Boston(MX250) to Azure SEA(checkpoint) VPN tunnel, we noticed that despite the tunnel status showing as "up" on both the Meraki and CP pages, the servers behind the checkpoint can't reach certain subnets in Boston...
Checking the logs, When the tunnel is being established, for any subnet that can't be reached, the last packet sent from Meraki to Checkpoint fails, followed by multiple "payload malformed" error messages.... (we've also opened a case with Meraki, and packet captures from Meraki show that it is sending packets to Checkpoint but not receiving a response... seems like a loop.)
We also noticed that on Checkpoint, the VPN tunnel between BOS and Azure SEA resets every 3-4 min (not sure if this is related to the payload malformed message)
Another interesting finding is that the WAN2 interface on BOSMX250 cannot ping AZSEA’s public IP... We tested other offices with MX250, and it seems to be the same behavior... only one WAN interface can ping this public IP, while the other cannot. (And the failing one is the primary link)
Not sure if anyone has encountered a similar issue? Any suggestions would be greatly appreciated!
