https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30488#M2422 <HTML><HEAD></HEAD><BODY><P>I've got a strange, lingering issue. Our R77.30 Gateway has quite a few IPSec Site-to-Site VPN tunnels terminating on it, and a few of them are on AWS. I've played with the settings in the IPSec community and encryption on several of them and still experience the same behavior.</P><P></P><P>1. The tunnel can be up, operating normally, passing traffic at an acceptable rate.</P><P>2. After I install policy to the gateway, *sometimes*, traffic will no longer traverse the tunnel.&nbsp;</P><P>&nbsp;&nbsp;&nbsp;2a. This is random - I would say 10% of the time, it will happen.</P><P>&nbsp;&nbsp;&nbsp;2b. Pushing policy again fixes it.</P><P></P><P>Disclaimer - I set up the VPN like i've always done with other sites (external site using ASA, Palo, etc) - using an interoperable device/PSK/IPSec Community. I just recently found this sk:</P><P></P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726">How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes</A>&nbsp;</P><P></P><P>Could not using VTI's be my issue? I'll be honest, i'm not familiar with VTI's or MSS clamping or dead peer detection.</P></BODY></HTML> Fri, 16 Feb 2018 17:58:54 GMT Saul_Schwartz 2018-02-16T17:58:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30488#M2422 <HTML><HEAD></HEAD><BODY><P>I've got a strange, lingering issue. Our R77.30 Gateway has quite a few IPSec Site-to-Site VPN tunnels terminating on it, and a few of them are on AWS. I've played with the settings in the IPSec community and encryption on several of them and still experience the same behavior.</P><P></P><P>1. The tunnel can be up, operating normally, passing traffic at an acceptable rate.</P><P>2. After I install policy to the gateway, *sometimes*, traffic will no longer traverse the tunnel.&nbsp;</P><P>&nbsp;&nbsp;&nbsp;2a. This is random - I would say 10% of the time, it will happen.</P><P>&nbsp;&nbsp;&nbsp;2b. Pushing policy again fixes it.</P><P></P><P>Disclaimer - I set up the VPN like i've always done with other sites (external site using ASA, Palo, etc) - using an interoperable device/PSK/IPSec Community. I just recently found this sk:</P><P></P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726">How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes</A>&nbsp;</P><P></P><P>Could not using VTI's be my issue? I'll be honest, i'm not familiar with VTI's or MSS clamping or dead peer detection.</P></BODY></HTML> Fri, 16 Feb 2018 17:58:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30488#M2422 Saul_Schwartz 2018-02-16T17:58:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30489#M2423 <HTML><HEAD></HEAD><BODY><P>If you're not using VTIs and Dynamic Routing, it's a definite possibility.</P><P>It's a bit more reliable to use VTIs when connecting with Amazon's VPN endpoint.</P><P>However, if you're going down this path, I recommend upgrading the Security Gateway to R80.10, so you can fully leverage CoreXL when using VTIs (otherwise, CoreXL is disabled when using VTIs, and performance will take a hit).</P></BODY></HTML> Fri, 16 Feb 2018 19:35:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30489#M2423 PhoneBoy 2018-02-16T19:35:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30490#M2424 <HTML><HEAD></HEAD><BODY><P>I remember a similar issue whose description can be found in&nbsp; <EM><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116013&amp;partition=Advanced&amp;product=Security" style="max-width: 840px;">sk116013: NAT fails after policy installation</A></EM><SPAN class="" style="vertical-align: top; color: #e65785; display: inline-block; margin: 0px 0px;"> </SPAN></P><P><SPAN class="" style="vertical-align: top; display: inline-block; margin: 0px 0px;">I suggest to verify if it is the same - then you can get a fix for it from TAC.<BR /></SPAN></P></BODY></HTML> Wed, 21 Mar 2018 11:53:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-Tunnel-to-AWS-VPC-Sporadically-drops-after-Policy-Install/m-p/30490#M2424 G_W_Albrecht 2018-03-21T11:53:01Z