https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47468#M3527 <P>We have what I would call a sensitive application that is somehow losing it's connection when Phase 1 re-keys on the VPN tunnel the traffic is being tunneled through. I think it's likely a combination of gateway/tunnel settings that could be modified but also just a sensitive application. The application disconnects were a mystery at first until we closely correlated these to the phase 1 re-keys on the VPN tunnel through which the traffic is passing.</P><P>Any information on what we might be able to monitor or modify in these VPN tunnels or gateway settings would be much appreciated. The tunnel setup is on R80.10 management and HA gateway using ClusterXL. We have Clustered gateways on each end of the VPN tunnel and have VPN tunnels to multiple sites. We have staggered the re-keys to no avail...thinking it was somehow tied to the multiple satellite gateways and the central gateway was not able to handle the multiple re-keys. This staggering re-key change did not improve the application disconnects.</P><P>&nbsp;</P> Mon, 18 Mar 2019 14:45:58 GMT Heath 2019-03-18T14:45:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47468#M3527 <P>We have what I would call a sensitive application that is somehow losing it's connection when Phase 1 re-keys on the VPN tunnel the traffic is being tunneled through. I think it's likely a combination of gateway/tunnel settings that could be modified but also just a sensitive application. The application disconnects were a mystery at first until we closely correlated these to the phase 1 re-keys on the VPN tunnel through which the traffic is passing.</P><P>Any information on what we might be able to monitor or modify in these VPN tunnels or gateway settings would be much appreciated. The tunnel setup is on R80.10 management and HA gateway using ClusterXL. We have Clustered gateways on each end of the VPN tunnel and have VPN tunnels to multiple sites. We have staggered the re-keys to no avail...thinking it was somehow tied to the multiple satellite gateways and the central gateway was not able to handle the multiple re-keys. This staggering re-key change did not improve the application disconnects.</P><P>&nbsp;</P> Mon, 18 Mar 2019 14:45:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47468#M3527 Heath 2019-03-18T14:45:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47488#M3533 extending of the phase-1 re-key TTL would definitely help so you can make an attempt of making sure that re-keying is happening "over night" or simply out-of-business hours. This way you can prevent of re-keying happening during the peak time of application usefulness. Hope it helps, but if not I believe that "tweaking" IPSec CryptoSuite would definitely be required at this point. Mon, 18 Mar 2019 16:54:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47488#M3533 Jerry 2019-03-18T16:54:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47511#M3535 <P>Yes, we have tried this but the admins are saying there shouldn't be any downtime. I tend to agree because of the redundancy and we have never seen this before where a re-key caused a disconnect or interruption in application connectivity.</P> Mon, 18 Mar 2019 20:02:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Tunnel-Phase-1-Re-key-Causing-Application-Disconnects/m-p/47511#M3535 Heath 2019-03-18T20:02:03Z