topic Re: VPN tunnel down issue in Firewall and Security Management

VPN tunnel down issue

ramawatar — Sat, 13 Apr 2019 17:14:18 GMT

Hi All,

I am facing issue with VPN tunnel between Check Point firewall and AWS between Check Point firewall and AWS there is multiple tunnel and that is getting down when not in use multiple time i need to reset tunnel after that its working fine is there any idea we create script through API can send continuous icmp traffic towards AWS tunnel to keep tunnel UP and i no need to reset the tunnel again and again.

Currently our setup is running on distributed 2 GW in cluster manage by MGMT server and all are running on R80.10 with take 189 hotfix.

Re: VPN tunnel down issue

PhoneBoy — Sun, 14 Apr 2019 10:38:38 GMT

The SKs that talk about configuring a VPN with AWS mention using Dead Peer Detection--are you using it?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97746

Re: VPN tunnel down issue

Maarten_Sjouw — Sun, 14 Apr 2019 22:22:19 GMT

You need to enable Permanent Tunnel in Tunnel management on the vpn community.

Re: VPN tunnel down issue

ramawatar — Wed, 24 Apr 2019 09:32:34 GMT

Dear Phoneboy/Admin

Thanks for your response i am already using tunnel_keepalive_method dpd and check all other parameter but didn't find solution till now.

get error log packet is dropped because an ipsec sa associated with the spi on the received ipsec could not be found

Action: drop Description: ESP traffic dropped.

I will follow the sk19423 but that is not helpfull for me.

Can i disable NAT T ?? and if i disable NAT T then what is the impact of that in production??

Re: VPN tunnel down issue

Uttam_Ghole — Mon, 27 May 2019 05:08:07 GMT

Hi @ramawatar and @PhoneBoy

I am also facing similar issue.

My observation is, in continuous ongoing security parameter negotiations, whenever AWS end negotiates tunnel with NAT-T (4500), tunnel shows UP but no data traverse through tunnel.

(As per few secure knowledge checkpoint only responds for NAT-T negotiation but never initiate negotiation with NAT-T)

fw ctl zdebug + drop | grep <AWS_gateway> gives decryption failed. (A = My End. B= AWS End.)

I am using BGP protocol to control routing.

BGP TCP handshake not getting complete when IKE negotiation shown IKE NAT-T (4500).

But fw monitor shows my end try to send bgp messages through tunnel and even initial packet comes through aws end but TCP complete connection not happening.

[vs_0][fw_22] eth3-01:i[60]: 169.254.A.A -> 169.254.B.B (TCP) len=60 id=10285
TCP: 45645 -> 179 .S.... seq=2ab5fb15 ack=00000000

[vs_0][fw_22] vpnt6:O[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] vpnt6:e[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] eth3-01:E[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16

When I am doing manual tunnel reset, checkpoint initiating tunnel, where it negotiating on 500 UDP and data starts traversing through tunnel.

Tunnels remain UP, till negotiation not happening through IKE 4500.

Currently I am experimenting to tune below gateway specific parameters to ensure negotiation of IKE 4500 should not happen. (There is no NAT device between my end and AWS)

IKE_SUPPORT_NAT_T

offer_nat_t_initator

offer_nat_t_responder_for_known_gw

force_nat_t

Advanced NAT-T Configuration

These variables are defined for each gateway and control NAT-T for site-to-site VPN: Item	Description	Default Value
offer_nat_t_initator	Initiator sends NAT-T traffic	true
offer_nat_t_responder_for_known_gw	Responder accepts NAT-T traffic from known gateways	true
force_nat_t	Force NAT-T even if there is no NAT-T device	false

Checkpoint team ( @PhoneBoy ) through my above observations please highlight and resolve any interoperability through NAT-T between checkpoint and other vendor device.

Re: VPN tunnel down issue

PhoneBoy — Tue, 28 May 2019 07:22:47 GMT

You're seeing "decryption failed" messages in zdebug, which would suggest a configuration mismatch of some sort.
You'll need to debug it to see where the mismatch is, using something like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560
Also recommend engaging with the TAC.

Re: VPN tunnel down issue

Aroma2118 — Mon, 20 Apr 2020 16:40:04 GMT

Hi @Uttam_Ghole

I am experiencing the same issue. Did you manage to resolve it after modifying gateway specific parameters?

Regards,

Re: VPN tunnel down issue

ramawatar — Mon, 20 Apr 2020 20:22:49 GMT

@Aroma2118 We are facing Issue with AWS tunnel only, now working fine we disable NAT T from for all security gateway & set tunnel_keepalive_method DPD

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

In GuiDBedit Tool, go to Network Objects > network_objects > <gateway> > VPN.
For the Value, select a permanent tunnel mode.
Save all the changes.
Install policy on the gateways.

For best practice Use Respective Gaia Version VPN Administration Guide.

Re: VPN tunnel down issue

Sajid_Abbas — Wed, 25 Nov 2020 00:44:54 GMT

Hi, We had heaps of VPN issues with AWS. This all got sorted when we upgraded firmware to R80.20.

Have you tried doing that.

We also have a script running that check tunnel ping and then resets tunnel if needed.

Could try those steps.

Sajid

Re: VPN tunnel down issue

ramawatar — Sat, 06 Feb 2021 07:34:32 GMT

@Sajid_Abbas yes it's resolve in R80.20, we also already upgraded our infra from R80.10 to R80.20

Re: VPN tunnel down issue

Cyber_Serge — Sat, 06 Feb 2021 22:50:49 GMT

Was it related to sk142355 VPN tunnel goes down after policy push, must be reset to bring it up?

Re: VPN tunnel down issue

the_rock — Sun, 07 Feb 2021 13:50:02 GMT

Not sure that option works with 3rd party vendors though...I only seen it work cp - cp tunnels.

Re: VPN tunnel down issue

Ayyappa — Thu, 30 Dec 2021 18:01:00 GMT

i have this same issue with static routes. could you please tell, did you manage to resolve this issue. kindly let us know.

Re: VPN tunnel down issue

giangnt — Wed, 04 May 2022 03:53:28 GMT

Hi Sajid_Abbas,

We are in need of a script to reset the tunnels every time they go down (we check by ping). Can you share it with us? Thank you!

Re: VPN tunnel down issue

giangnt — Wed, 04 May 2022 04:51:45 GMT

Hi Sajid_Abbas,

We also need automatic ping check and tunnel reset, can you share with us the script you have? Thank you so much!

Re: VPN tunnel down issue

Daniel_Kavan — Wed, 20 Sep 2023 17:44:41 GMT

Hi,

Is DPD still needed for permanent tunnel checks in R81.20. Also, is guiDB still needed to enable it?

Re: VPN tunnel down issue

PhoneBoy — Wed, 20 Sep 2023 18:03:51 GMT

DPD is still used for permanent tunnels.
In fact, from R81, DPD is set as the default for newly created Interoperable Objects.
If I understand Scenario 5 of sk108600 correctly, unless you've changed the setting from the previous default, it should be changed upon upgrade to an R81+ release automatically.