https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154774#M26302 <P>CRL is an important part of secured VPN. Once CLR cache is expired GWs are supposed to pull the new one. CRL expiration time is set in the Global Properties on your Management Server.</P> <P>If your SmartManagment Server is down for a long time, VPN tunnel failure is very likely. I would suggest Management HA.</P> Tue, 09 Aug 2022 12:05:43 GMT _Val_ 2022-08-09T12:05:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154760#M26299 <P>Good afternoon!<BR />If our CPSM server is not available, then the VPN on the devices in the branch stops working after 24 hours hours or less. This is the expected result. But we would like to increase this time in case the CPSM fails. We used on the information in this article: <A href="https://indeni.com/blog/check-point-firewalls-certification-revocation-list-crl-check-mechanism-on-a-check-point-gateway/" target="_blank">https://indeni.com/blog/check-point-firewalls-certification-revocation-list-crl-check-mechanism-on-a-check-point-gateway/</A><BR />We supposed that the problem occurs when a device in a branch office cannot get an up-to-date list of CRL.</P><P>Branches use CheсkPoint 1430/1530. Everything is managed centrally through CPSM.<BR />The CRL file on the device itself in the /pfrm2.0/config1/fw1/database directory is up to date.The internal_ca parameters are set to "Fetch new CRL after 48 hours", but the desired result has not been achieved. VPN disconnected again after 24 hours.<BR />How can we increase VPN uptime if CPSM is not available?</P><P>In the admin guide I found the following information:<BR />"If CRL Cache is enabled, choose whether a CRL is deleted from the cache when it expires or after a fixed period of time (unless it expires first). The second option encourages retrieval of a CRL more often as CRLs may be issued more frequently than the expiry time. By default a CRL is deleted from the cache after 24 hours."</P><P>With any cache settings in the properties of the certificate authority, will the cache on the device in the branch office be cleared after 24 hours anyway? Is there a way to keep the VPN working if the CPSM/CRL Server is unavailable?</P> Tue, 09 Aug 2022 09:13:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154760#M26299 startlook 2022-08-09T09:13:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154771#M26300 <P style="font-weight: 400;">Some options exist, do you have a secondary manager?</P> <P style="font-weight: 400;">Please refer:</P> <P style="font-weight: 400;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100731" target="_blank" rel="noopener">sk100731: VPNs go down within 24 hours after primary Security Management server goes down</A></P> <P style="font-weight: 400;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk21156" target="_blank" rel="noopener">sk21156: Disabling CRL checking when authenticating with certificates</A></P> Tue, 09 Aug 2022 11:44:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154771#M26300 Chris_Atkinson 2022-08-09T11:44:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154774#M26302 <P>CRL is an important part of secured VPN. Once CLR cache is expired GWs are supposed to pull the new one. CRL expiration time is set in the Global Properties on your Management Server.</P> <P>If your SmartManagment Server is down for a long time, VPN tunnel failure is very likely. I would suggest Management HA.</P> Tue, 09 Aug 2022 12:05:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Crash-VPN-if-CPSM-server-is-not-available/m-p/154774#M26302 _Val_ 2022-08-09T12:05:43Z