topic after a cluster failover (Cloudguard) the VPN tunnel gets disconnected in Cloud Firewall

after a cluster failover (Cloudguard) the VPN tunnel gets disconnected

flachance — Tue, 25 Oct 2022 18:22:29 GMT

We have a vpn tunnel between two cluster, one is a pair of OpenServers and the other Cloudguard in Azure.

For the one on OpenServers the gateways are running R80.40. The gateways in Azure we just updated to R81.10.

Since the upgrade when there is a failover in the Cloudguard cluster, the VPN doesn’t work anymore. A quick fix to get it back seems to be re-installing the policy.

Last time we noticed in SmartView monitor the status of the VPN was Up-Phase1. Anyone seen something like this?

Re: after a cluster failover (Cloudguard) the VPN tunnel gets disconnected

AaronCP — Tue, 25 Oct 2022 20:50:53 GMT

How long does the outage last when you failover? I remember we had similar issues with our CloudGuard cluster on failover, where it would cause up to a 5 minute outage to our on-prem cluster. The failover would eventually complete and the tunnel would re-establish.

Did you get this issue when your CloudGuard cluster was running another OS version?

Re: after a cluster failover (Cloudguard) the VPN tunnel gets disconnected

Chris_Atkinson — Wed, 26 Oct 2022 00:59:53 GMT

Depending on the Azure API the failover time should be ~ 2 minutes for VPN scenarios.

Are both clusters under the same management i.e. is either defined as an Interoperable device object?

In R81 and above we changed the tunnel keep alive to DPD by default for 3rd party devices... refer sk108600 scenario 5.

Also is keep_IKE_SAs configured?

This property is available under Global Properties -> SmartDashboard Customization -> Advanced Configuration -> VPN advanced properties -> VPN IKE properties.

Re: after a cluster failover (Cloudguard) the VPN tunnel gets disconnected

flachance — Wed, 26 Oct 2022 14:35:08 GMT

So here are some additional details.

We experienced the issue only after upgrading to R81.10.

The participating gateways are two clusters. One is Checkpoint R80.40 running on OpenServers. The other is Checkpoint R81.10 on Cloudguard (Azure).

They are managed by the same management server running R81.10.

The cluster failover happens fairly quickly but as far as I know the VPN tunnel stays down indefinitely. Until we install the Policy which seems to kick in something and make it works.

Keep_IKE_SAs is configured.

I looked at SK108600 scenario 5, should we use DPD over Tunnel_Test even with all members being CheckPoint?

It’s a Meshed VPN tunnel. With the following properties