https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244368#M40776 <P>Unless you have Permanent Tunnels/DPD enabled it is possible for your VPN peer to go down or become unreachable, but the tunnel still looks "up" from your end, at least until the next Phase 2 re-key which could be up to 60 minutes later by default.&nbsp; At that point you would get an error about the tunnel being down, but it could have actually died up to 60 minutes ago.&nbsp;</P> <P>If you have Permanent Tunnels (CP gateways) or DPD (interoperable gateways) enabled, there is a setting in the VPN Community that can fire an alert when the tunnel is detected down, which should happen within roughly 60 seconds of the failure.</P> Thu, 20 Mar 2025 18:11:28 GMT Timothy_Hall 2025-03-20T18:11:28Z https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244329#M40771 <P>Hi All<BR /><BR />is it possible to know exactly when a vpn went down? are we talking about an s2s vpn? is there a command that can help?<BR /><BR /></P> Thu, 20 Mar 2025 14:10:13 GMT https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244329#M40771 RemoteUser 2025-03-20T14:10:13Z https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244332#M40772 <P>Maybe this helps:</P> <P>vpn tu tlist</P> <P>But it is a difficult question, because if the tunnel is ''up'' with p1 p2 it still can be that for the user the tunnel is not working.&nbsp;</P> <P>Or a part of the tunnel works and other part does not work (if you have more subnets in one tunnel).&nbsp;</P> <P>You can check the firewall logs and check for logs from local enc domain towards remote and the other way around. Good indication is also to check logs from and towards remote peer IP.&nbsp;</P> <P>Tunnel config also has p1 and p2 timers, most of the time if timer is reached new p2 or p1 is created.&nbsp;</P> <P>In R82 you can configure VPN probes, those are hosts that you ping via the tunnel to check the status. Check it here:</P> <P><A href="https://support.checkpoint.com/results/sk/sk181994" target="_blank">https://support.checkpoint.com/results/sk/sk181994</A></P> Thu, 20 Mar 2025 14:38:35 GMT https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244332#M40772 Lesley 2025-03-20T14:38:35Z https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244368#M40776 <P>Unless you have Permanent Tunnels/DPD enabled it is possible for your VPN peer to go down or become unreachable, but the tunnel still looks "up" from your end, at least until the next Phase 2 re-key which could be up to 60 minutes later by default.&nbsp; At that point you would get an error about the tunnel being down, but it could have actually died up to 60 minutes ago.&nbsp;</P> <P>If you have Permanent Tunnels (CP gateways) or DPD (interoperable gateways) enabled, there is a setting in the VPN Community that can fire an alert when the tunnel is detected down, which should happen within roughly 60 seconds of the failure.</P> Thu, 20 Mar 2025 18:11:28 GMT https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244368#M40776 Timothy_Hall 2025-03-20T18:11:28Z https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244370#M40777 <P>Something like what I attached, though someone from TAC gave me this while back, but they said it might not always be 100% reliable.</P> <P>Andy</P> Thu, 20 Mar 2025 18:48:05 GMT https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244370#M40777 the_rock 2025-03-20T18:48:05Z https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244372#M40778 <P>You can also probably use tool called checkmk or something along those lines. I tested it in the lab last year, looked pretty reliable.</P> <P>Andy</P> Thu, 20 Mar 2025 18:54:01 GMT https://community.checkpoint.com/t5/General-Topics/S2S-VPN-DOWN-When/m-p/244372#M40778 the_rock 2025-03-20T18:54:01Z