topic Re: Site-to-site VPN tunnel logs in General Topics

Site-to-site VPN tunnel logs

Gacki — Tue, 14 Mar 2023 09:22:54 GMT

Hello,
I would like to know how to check the log history in the console for a given VPN site to site.

We have a VPN site to site set up with another company, and there was a case that the VPN tunnel was broken for an hour, you can't see anything in the SMS logs, there is only an hour hole, the question is whether it is possible in the console to download logs from a given tunnel at a given time deeper hour.
Thank you very much for help

The sms version is R81.10
Firewall - r81.10

Re: Site-to-site VPN tunnel logs

G_W_Albrecht — Tue, 14 Mar 2023 09:50:55 GMT

Logs at least should show why the tunnel went down and later up again ! If VPN is down it will not log.

Re: Site-to-site VPN tunnel logs

Gacki — Tue, 14 Mar 2023 10:03:20 GMT

Thank you for your help

Re: Site-to-site VPN tunnel logs

Matlu — Fri, 12 Dec 2025 17:25:19 GMT

Hello,
Is there a way to see the “possible root cause” of why a VPN tunnel went down and then came back up, from one moment to the next?

We are having a problem with a VPN, which suddenly “crashes” and then starts working again after a while without any intervention.
Is there a file we can check that might help us with this?

Cheers 🙂

Re: Site-to-site VPN tunnel logs

PhoneBoy — Fri, 12 Dec 2025 17:59:42 GMT

These kinds of "fails and comes back" issues with VPNs are usually caused by mismatches in the configuration on both ends (namely timers related to key renegotiation).
You might have a look at scenario 4 here: https://support.checkpoint.com/results/sk/sk108600

Re: Site-to-site VPN tunnel logs

Matlu — Fri, 12 Dec 2025 18:03:29 GMT

Hello,
Is there a relevant log in SmartConsole that could give us an “idea” of the possible root cause?
Is there any way to help find logs relevant to intermittent issues in the SmartConsole search engine?

Re: Site-to-site VPN tunnel logs

CaseyB — Fri, 12 Dec 2025 19:23:49 GMT

I normally do "blade:VPN AND <public IP of peer>", then filter out accepted / encrypted traffic or filter on reject / key install or something like that, and I generally can fix any VPN issues doing that based on what the logs tell me.

Re: Site-to-site VPN tunnel logs

Matlu — Fri, 12 Dec 2025 20:13:52 GMT

Hello.
Regarding the “Key Install” log type, does it always represent a “problem” with an S2S VPN?
Is it something that needs to be “checked” in detail?

Re: Site-to-site VPN tunnel logs

CaseyB — Fri, 12 Dec 2025 20:25:53 GMT

No, generally the "Key Install" is always a good thing and is an expected log, but I use it to confirm the tunnel is building how I expect it to, as the tunnel could be breaking because of the networks / hosts sent in Phase 2.

For this example, this is the exact IKE ID I expect to see, so I know the encryption domain is not the problem in this direction. This can work properly when 1 firewall initiates traffic and could break if the other side is to initiate as their configuration could be off slightly sending a /29 instead of a /28 or something.

You will see key installs line-up with the timers you have set here:

An example of an issue could be you are seeing "Key Installs" every 15 minutes when they should be around an hour, something is probably off.

Re: Site-to-site VPN tunnel logs

Matlu — Fri, 12 Dec 2025 20:43:36 GMT

Hello @CaseyB

Your last comment is precisely part of my problem.
I am seeing too many recurring Key Install logs for a specific VPN.

And the other problem is that every Friday morning, the VPN goes down and then comes back up without any intervention.

That is why I am trying to find a way to know if the logs show us a reason why this is happening.

Re: Site-to-site VPN tunnel logs

CaseyB — Fri, 12 Dec 2025 21:11:55 GMT

You are going to see a "Key Install" for every IKE SA you are building on the tunnel. So, you do need to examine them to see if they are expected.

Example 1 - I am building at least 5 IKE SAs with this vendor on a tunnel, so I will see multiple "Key Installs" per hour, but that is expected because each IKE SA will probably re-key at a different time. See:

Example 2 - I am building 1 IKE SA on this tunnel, and I should only see one key install per hour.