Enabling the R80.20 "disable supernetting per community" feature causes this issue.

This problem was fixed. The fix is included starting from:

• Check Point R80.30
• Jumbo Hotfix Accumulator for R80.20 with Gaia 3.10 for CloudGuard and Open Server Security Gateways (R80_20_3_10_jumbo_hf)
• Jumbo Hotfix Accumulator for R80.20 - since Take_43

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

For R80.20, before Jumbo Hotfix Accumulator for R80.20 Take_43, you can resolve the issue by disabling the R80.20 "disable supernetting per community" feature.

Note: This feature continues to work when you set  ike_enable_supernet to "true". 

1. Access the CLI of the relevant Security Gateway.
2. Run this command: fw ctl set int enable_supernet_per_community 0
   

   Note: It can take some time until user.def tables start to take effect, because current connections can still invoke tunnels using the old ranges.

3. To save this change after reboot of the Security Gateway, set this configuration variable: "enable_supernet_per_community=0" in the $FWDIR/boot/modules/fwkern.conf file of the Security Gateway.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.