topic Re: VPN issue stuck in Phase 1 and sometimes disconnects in General Topics

VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Thu, 31 Jul 2025 08:11:51 GMT

Hi Everyone,

Apologies for my beginners knowledge regarding Checkpoint , but I am having an issue with VPN tunnel from our HQ in Germany to one of the office in US. VPN gets stuck at phase 1 most of the times and sometimes it gets disconnected too but it is rare. As primary responsible is not available for some days and its a production environment , I need to find a fix. to make it work temporarily, I have to reset the tunnel and it starts working for some random time. I could not find the issue via smart console logs. Has anyone experienced something like this and secondly has anyone used a script to reset tunnel whenever it is down or after an hour or so as a work around or some other solution.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

P_Williams — Mon, 04 Aug 2025 13:34:48 GMT

Is the VPN failing or is it running OK? I have seen the GUI say 'UP - Phase 1' without there being any issues reported.

Go onto the CLI in expert mode and do

#vpn tu

Option 3, put in the remote gateway address

Option 4, put in the remote gateway address

It might be that there is a mismatch between the encryption domains.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Mon, 04 Aug 2025 15:29:13 GMT

Hi, The VPN fails and the services are disrupted until tunnel is reset. No changes were done for VPN related configurations but this issue arose and it stucks on phase 1 randomly and just for two peers. I am using same VPN community with headquarter and other peer, it is working fine there. I verified vpn tu and it shows same IKE SA, could not find any mismatch will now.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Tue, 05 Aug 2025 01:29:45 GMT

Hey @Zee

No worries, we are here to help. Just wondering, how is tunnel management tab configured inside the community object? Did this work and just started recently or was issue always there?

Any relevant logs you can send? Did you try do simple debug as below:

vpn debug trunc

vpn debug ikeon

-generate some traffic (30 seconds or 1 minute)

vpn debug ikeoff

Get ike* and vpnd* files from $FWDIR/log dir

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Tue, 05 Aug 2025 12:29:04 GMT

Hi,
It was working before 15 July and no changes related to VPN was done which could have caused such an issue in my opinion. I have sent the debug files to TAC support but still have not heard anything relevant. I tried to verify the logs myself but could not found something specific to Phase 1 stuck issue. Moreover, I could not open iked0.elg via ikeview tool as I read somewhere that in R81.20, it should be ike.elg or trace file should have some relevant data.
The issue is very random, sometimes it wont arise for hours. I made a script to reset tunnel after 30 mins for now, but even with that sometimes it gets stuck and have to reset twice. (just a work around). The VPN community is same for HQ fw and all other FWs but the issue is with one office to HQ fw, other vpn tunnels are fine.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Tue, 05 Aug 2025 12:55:47 GMT

K, so couple points about that setting. The way you have it is fine, BUT, in such case, I would make sure you use VTIs and set enc. domains as empty group. I find that works 100% of the time.

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Tue, 05 Aug 2025 13:49:07 GMT

FWIW, check out this post I made last year. Thats pretty much how I set up any route based tunnel (regardless if its Azure or not) and works fine.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Tue, 05 Aug 2025 14:05:14 GMT

We are not using VTIs and enc. domains have the same IP pools which were before. The randomness of the issue has confused me 🙂

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Tue, 05 Aug 2025 14:08:36 GMT

Not to sound funny now when I say this, but any time people tell me "O, this used to work yesterday", my answer is always "Well, I was a year younger last year, now Im not"...It would be nice if there was real time machine haha : - )

Anyway, lets see what we can do to help. Are you allowed to send debug file? I would be happy to check it.

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Fri, 22 Aug 2025 11:07:36 GMT

I understand, there is something wrong which is causing this issue somehow. I don't know if this can help but these are some of the logs related to both fw in iked.elg files. Unfortunately, can not send the debug file as it is not allowed and ignore the IP prevention.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Tue, 05 Aug 2025 16:13:11 GMT

Here is where I would start, or try to get this info...does it show which packet of phase 1 is it failing? Because you can totally forget about enc. domains, since thats always related to phase 2, but its not even getting there. So, for example, if it was failing on packet 4 phase 1, thats PSK issue, but anything before, most likely its not agreeing on algorithms.

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Wed, 06 Aug 2025 08:59:53 GMT

Thank You for help Andy. I am following the same process to get the logs but somehow I am not getting relevant logs for the fw peer which is having this issue. The above mentioned logs were the only one which I could gather at the time of issue. May be I am doing something wrong. Secondly, after the script which is working after every 30 mins twice after 5 secs, the issue just comes 2-3 times in a day, earlier it was like more than 10 times. Do you think if the issue was with algo or PSK, resetting the tunnel would resolve the issue temporarily?

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Wed, 06 Aug 2025 11:19:52 GMT

You can try that, does not hurt, but logically, it might not do anything to reset PSK unless there is log showing thats the issue. Plus, if PSK was the problem, tunnel would NEVER work to begin with 🙂

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Wed, 06 Aug 2025 11:21:54 GMT

True, I will dig down more and see what TAC has to say, but idk why resetting the tunnel resolves the issue.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Wed, 06 Aug 2025 11:23:37 GMT

Is this CP to CP?

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Wed, 06 Aug 2025 11:46:12 GMT

Yes, from HQ to one branch in another country. Almost all other CP FW which have a tunnel with HQ does not have this issue, except this one.

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Wed, 06 Aug 2025 11:51:23 GMT

Is it star or mesh community? If star, I fixed this sort of issue once by "flipping" centre and satellite gateways around, not sure if you can try that.

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Wed, 06 Aug 2025 12:15:29 GMT

It is working in a mesh community actually

Re: VPN issue stuck in Phase 1 and sometimes disconnects

the_rock — Wed, 06 Aug 2025 12:18:58 GMT

K, got it...I mean, you can try reset PSK, does not hurt and test.

Andy

Re: VPN issue stuck in Phase 1 and sometimes disconnects

Zee — Wed, 06 Aug 2025 14:45:23 GMT

I stopped the script and its been 24 hours I have not seen the issue with the same configurations. I am also thinking of an ISP issue but its a far stretched thought for now.