https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212380#M40313 <P>Thank you, that makes sense. We will look to increase the CRL timeout.&nbsp;</P><P>Much appreciated. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Fri, 26 Apr 2024 13:06:27 GMT Mike-H 2024-04-26T13:06:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212366#M40309 <P>Hello,&nbsp;</P><P>We have a number of 1450's and 1570's connected in a site to site VPN to our primary co-lo VSX firewalls. These are also connected to an MDSM. Should the MDSM become unavailable for a period of time (+12 hours) we find that the 1450's and 1570's will fail to rekey thus taking down their VPN connection, which is less than ideal.&nbsp;</P><P>Is this 'by design'/'unavoidable' or is there something we can do to prevent the gateways from dropping should the management server experience issues?&nbsp;</P><P>Thanks</P><P>Mike</P> Fri, 26 Apr 2024 08:33:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212366#M40309 Mike-H 2024-04-26T08:33:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212374#M40311 <P>I believe it used to be 24 hours, but might be different now. Is there anything you can do to prevent that? personally, I cant think of anything, because it relies on mgmt server for that sort of communication.</P> <P>Andy</P> Fri, 26 Apr 2024 12:26:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212374#M40311 the_rock 2024-04-26T12:26:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212375#M40312 <P>The VPN is going down because certificates are used for IKE Phase 1 authentication; when a rekey occurs the CRL must be retrieved from the SMS/MDS to ensure the certificate has not been revoked.&nbsp; There is a cache for the CRL on the gateways that will help if the SMS/MDS is down for a short period, but if it is down long enough the cached CRL entries will expire and the VPN breaks at the next rekey.</P> <P>You can extend the CRL cache timeout or even disable the CRL checking completely as described here:</P> <P><A href="https://community.checkpoint.com/t5/SMB-Gateways-Spark/How-does-SMB-gateway-CRL-fetching-work/m-p/198172/highlight/true#M9798" target="_blank" rel="noopener">https://community.checkpoint.com/t5/SMB-Gateways-Spark/How-does-SMB-gateway-CRL-fetching-work/m-p/198172/highlight/true#M9798</A></P> <P>&nbsp;</P> Fri, 26 Apr 2024 12:32:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212375#M40312 Timothy_Hall 2024-04-26T12:32:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212380#M40313 <P>Thank you, that makes sense. We will look to increase the CRL timeout.&nbsp;</P><P>Much appreciated. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Fri, 26 Apr 2024 13:06:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-appliances-reliance-on-management-server/m-p/212380#M40313 Mike-H 2024-04-26T13:06:27Z