https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110433#M15168 <P>When policy is pushed the IKE Phase 1 SAs are cleared depending on the values of&nbsp;<STRONG>ike_keep_child_sa_interop_devices</STRONG> and&nbsp;<STRONG>keep_IKE_SAs</STRONG> which are both global; I don't think you can specify these values per VPN peer or community.&nbsp; 3rd party gateways in particular don't like having an SA cleared early since the mechanism to recover (delete SA notification) does not usually work properly between vendors.&nbsp; See Scenario 4 of&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec" target="_blank" rel="noopener">sk108600: VPN Site-to-Site with 3rd party</A>.&nbsp;&nbsp;&nbsp;</P> <P>The only real ramification of setting one or both of these to true is that if you make a change to IKE Phase 1 configuration settings (encryption, hashing, etc), that change will not happen immediately upon policy push.&nbsp; These types of changes don't occur very often once the tunnel is initially set up and tested, but if you do need to change these Phase 1 settings with "true" set you'll just need need to manually reset the IKE Phase 1 tunnel with <STRONG>vpn tu</STRONG> after pushing policy to make it take effect.&nbsp; That's it.</P> Wed, 10 Feb 2021 12:58:26 GMT Timothy_Hall 2021-02-10T12:58:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110404#M15164 <P>Hi All,</P><P>&nbsp;</P><P>I am facing issue with VPN tunnel between Check Point gateway and 3rd-party gateway, Sonicwall.</P><P>The situation is, the vpn connection is working as usual after the tunnel is up.</P><P>However, after we push the policy, the tunnel is coming down again.</P><P>What I'VE done next:</P><P>1. Confirmed no changes related to VPN settings on both Check Point gateway and Peer Gateway.</P><P>2.&nbsp;Confirmed the configuration on both side is tally with each other.</P><P>3. Reset tunnel on vpn tu, option (7).</P><P>4. Check vpn status again, still down. Refer to the packet capture on peer: 175.139.242.98 below:</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 806px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/10517i713E5420CB027705/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>Supposedly, the vpn tunnel should come up after reset tunnel However, the tunnel is still down.</P><P>And, now I'm now checking on the <STRONG><A title="sk142355" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk142355&amp;partition=Advanced&amp;product=IPSec" target="_blank" rel="noopener">sk142355</A>,&nbsp;</STRONG>however the changes on Global Properties might need to be considered properly as it might affected other vpn tunnels.</P><P>&nbsp;</P><P>Current, our setup is on Standalone mode with R80.10 version with Take 279 hotfix.</P><P>&nbsp;</P><P>Hopefully, we have the solutions or workaround on this issue.</P> Wed, 10 Feb 2021 08:30:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110404#M15164 Fatihah 2021-02-10T08:30:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110433#M15168 <P>When policy is pushed the IKE Phase 1 SAs are cleared depending on the values of&nbsp;<STRONG>ike_keep_child_sa_interop_devices</STRONG> and&nbsp;<STRONG>keep_IKE_SAs</STRONG> which are both global; I don't think you can specify these values per VPN peer or community.&nbsp; 3rd party gateways in particular don't like having an SA cleared early since the mechanism to recover (delete SA notification) does not usually work properly between vendors.&nbsp; See Scenario 4 of&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec" target="_blank" rel="noopener">sk108600: VPN Site-to-Site with 3rd party</A>.&nbsp;&nbsp;&nbsp;</P> <P>The only real ramification of setting one or both of these to true is that if you make a change to IKE Phase 1 configuration settings (encryption, hashing, etc), that change will not happen immediately upon policy push.&nbsp; These types of changes don't occur very often once the tunnel is initially set up and tested, but if you do need to change these Phase 1 settings with "true" set you'll just need need to manually reset the IKE Phase 1 tunnel with <STRONG>vpn tu</STRONG> after pushing policy to make it take effect.&nbsp; That's it.</P> Wed, 10 Feb 2021 12:58:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110433#M15168 Timothy_Hall 2021-02-10T12:58:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110974#M15280 <P>Hi Timothy,</P><P>&nbsp;</P><P>Thanks for your suggestion.</P><P>However, after checking all these, I suspected the issue is related to the instability of upstream device (Load Balancer). Hence, I bypass the Load balancer to the peer Gateway, and as a resulted&nbsp;<SPAN>the tunnel was established and communication was successful between both sites.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Fatihah</SPAN></P> Wed, 17 Feb 2021 00:57:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VN-Tunnel-is-down-after-installing-policy/m-p/110974#M15280 Fatihah 2021-02-17T00:57:28Z