https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250165#M48857 <P>Curious... what do you mean by "after a while"? &nbsp;What time interval (be as precise as you can) is this?</P> <P>I'll hazard a guess, however: if it's 1 hour, then this is an IPsec phase 2 re-key issue. &nbsp;Make sure you have the VPN control connections enabled in your Global Properties, or be certain to have IPsec NAT-Traversal (UDP 4500) allowed in your ruleset.</P> <P>&nbsp;</P> Thu, 29 May 2025 15:20:24 GMT Duane_Toler 2025-05-29T15:20:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250077#M48848 <P>We currently utilize <SPAN class="">certificate</SPAN> <SPAN class="">based</SPAN> <SPAN class="">VPNs</SPAN> between our main cluster and Fortinet and Starlink appliances.<BR />These devices are installed on moving devices.</P><P>We see that the VPNs are established but after a while they go down and we were in logs the different types of errors:</P><P><EM>"Main mode local machine configured not to responde to unknow IP address and or not included in the remoteaccess community"</EM></P><P><EM>"VPN failed to resolve gateway IP address"</EM></P><P>We analyzed the SK related to these issues but we understand that they do not apply to this case.</P><P>We were also surprised to see inconsistencies in the IPs we had in the established tunnels when we consulted them through the VPN tu tlist command.</P><P>Does anyone have any suggestion of what we could analyze?</P> Wed, 28 May 2025 18:52:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250077#M48848 Agust 2025-05-28T18:52:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250083#M48849 <P>What is the sk?</P> Wed, 28 May 2025 19:16:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250083#M48849 the_rock 2025-05-28T19:16:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250086#M48850 <P>Hi&nbsp;</P><P>The SK are&nbsp;sk132332,&nbsp;sk119301 and&nbsp;<SPAN>sk117713&nbsp;but none of them apply to our case</SPAN></P> Wed, 28 May 2025 19:30:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250086#M48850 Agust 2025-05-28T19:30:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250094#M48851 <P>I assume these "moving devices" are Dynamic IP.<BR />Are the necessary interoperable objects defined as such?</P> <P>One issue with DAIP VPN endpoints is that we don't know what IP address they're coming from.<BR />In the case of a Check Point-managed gateway, most likely there is a persistent connection with management that we can use to determine the remote IP to use.<BR />In the case of interoperable objects, we don't have such a mechanism and can only use traffic initiated from the remote VPN to learn about the IP in use.</P> <P>I assume the errors occur when the IP association "times out" due to inactivity.<BR />The fix for this is likely to have something periodically generate traffic through the VPN tunnel to keep it (and the IP association) active.<BR />We have a mechanism called&nbsp;<A href="https://support.checkpoint.com/results/sk/sk181994" target="_self">network probe</A>&nbsp;to do this periodically starting in R82.<BR />If on an earlier release, some other host will need to periodically generate traffic.</P> Wed, 28 May 2025 20:29:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250094#M48851 PhoneBoy 2025-05-28T20:29:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250165#M48857 <P>Curious... what do you mean by "after a while"? &nbsp;What time interval (be as precise as you can) is this?</P> <P>I'll hazard a guess, however: if it's 1 hour, then this is an IPsec phase 2 re-key issue. &nbsp;Make sure you have the VPN control connections enabled in your Global Properties, or be certain to have IPsec NAT-Traversal (UDP 4500) allowed in your ruleset.</P> <P>&nbsp;</P> Thu, 29 May 2025 15:20:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250165#M48857 Duane_Toler 2025-05-29T15:20:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250626#M49009 <P>Hello PhoneBoy<BR />Thank you very much for your response. We're using DAIP in this case to use certificates.<BR />I asked you, would DPD also be a viable option, or would the survey you mentioned earlier only work for us in this case?<BR />Thanks</P> Wed, 04 Jun 2025 16:04:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250626#M49009 Agust 2025-06-04T16:04:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250639#M49013 <P>DPD will definitely help here.</P> Wed, 04 Jun 2025 20:11:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250639#M49013 PhoneBoy 2025-06-04T20:11:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250643#M49015 <P>Implementing DPD definitely won't hurt here.</P> Wed, 04 Jun 2025 20:54:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Problem-with-site-Certificate-Based-VPNs/m-p/250643#M49015 PhoneBoy 2025-06-04T20:54:57Z