https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/69637#M12665 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/15325">@Scott_Paisley</a>&nbsp;did you find the root cause of this? Could it have been that after upgrade that PFS was turned off?</P><P>I just saw similar behaviour going from R80.10 to R80.30. Im pretty sure I had PFS enabled before upgrade. It was disabled after upgrade I think. I reenabled, and it looks more stable.</P> Sun, 08 Dec 2019 14:55:28 GMT OL 2019-12-08T14:55:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/54836#M12662 <P>Hi</P><P>We have a large number of IPSEC VPN tunnels between our R77.30 gateway clusters.</P><P>Yesterday we upgraded one of the remote clusters to R80.20. After the upgrade the tunnel was still working fine, until we pushed policy to the R77.30 cluster late last night.</P><P>Now the tunnel will not stay up. If I push the R80.20 cluster it comes up briefly, then fails again.</P><P>The error message is&nbsp;</P><P><FONT>Auth exchange: Sending notification to peer: Authentication failed MyAuthMethod: Certificates</FONT></P><P><FONT>I have support ticket open, but is there something simple and obvious I am missing?</FONT></P><P><FONT>Thanks</FONT></P> Sat, 01 Jun 2019 11:07:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/54836#M12662 Scott_Paisley 2019-06-01T11:07:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/54850#M12663 Do make sure to push the policy on the R77.30 again. We have seen many times during a R77.30 to R77.30 migration, a couple of years ago, that when we had VPN's we needed to at least push twice to those gateways to make sure the tunnels came back. Sun, 02 Jun 2019 11:51:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/54850#M12663 Maarten_Sjouw 2019-06-02T11:51:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/54854#M12664 <P>Thanks</P><P>I removed the R80.20 gateway from the VPN, pushed to both gateways, added it back in and pushed again, and now the tunnel is up.</P><P>Checkpoint recommendation is to renew the cert, but each of our gateways is involved in multiple VPNs, so we will end up pushing to the whole estate eventually.</P> Sun, 02 Jun 2019 12:23:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/54854#M12664 Scott_Paisley 2019-06-02T12:23:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/69637#M12665 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/15325">@Scott_Paisley</a>&nbsp;did you find the root cause of this? Could it have been that after upgrade that PFS was turned off?</P><P>I just saw similar behaviour going from R80.10 to R80.30. Im pretty sure I had PFS enabled before upgrade. It was disabled after upgrade I think. I reenabled, and it looks more stable.</P> Sun, 08 Dec 2019 14:55:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/69637#M12665 OL 2019-12-08T14:55:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/69690#M12666 <P>it turned out to be an unrelated issue. The Remote gateways were not able to reach the management server to check the validity of the certs. Once that was resolved the tunnels came up</P> Mon, 09 Dec 2019 08:59:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/69690#M12666 Scott_Paisley 2019-12-09T08:59:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/264360#M51948 <P>I know this post is a little bit old, but this worked for me. Thanks!</P> Thu, 04 Dec 2025 14:16:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-site-to-site-VPN-fails-after-R80-20-upgrade/m-p/264360#M51948 CrociStrike030 2025-12-04T14:16:21Z