topic Check Point DPD (Dead Peer Detection) - Questions in General Topics

Check Point DPD (Dead Peer Detection) - Questions

Marcel_Gramalla — Thu, 21 Mar 2019 09:13:17 GMT

Hi all,

I have two questions regarding the Dead Peer Detection between our Check Point Cluster and other existing VPN connections to non-Check Point Gateways.

1. Does enabling DPD (Responder Mode) has any impact on existing VPN connections? Can I enable it "on-the-fly" without having any disconnects to the VPN? I haven't found an answer on that yet.

2. If I change a VPN community with non-Check Point Gateways to "Permanent Tunnels" in order to active DPD with GuiDBedit does this have any impact on existing connections?

Thanks in advance for any help

Re: Check Point DPD (Dead Peer Detection) - Questions

Jerry — Thu, 21 Mar 2019 09:17:53 GMT

quickly though:

Ad.1 - it will re-estab SA/SPI indeed
Ad.2. - it will re-estab the tunnel

ps. any changes to the proxy-id or any crypt.conf params will re-key and re-estab SA/SPI

Re: Check Point DPD (Dead Peer Detection) - Questions

Marcel_Gramalla — Thu, 21 Mar 2019 09:33:43 GMT

Thanks for the quick reply. That means that we have to announce it so that if there is any issue our partners know about it.

Re: Check Point DPD (Dead Peer Detection) - Questions

Jerry — Thu, 21 Mar 2019 09:41:11 GMT

it will in 100% impact/affect an existing tunnel(s) so yes, that should be announced and planed for so called "maintenance window" 🙂

cheers

Re: Check Point DPD (Dead Peer Detection) - Questions

Ravindra_Katrag — Wed, 11 Sep 2019 16:07:24 GMT

Is there any way to check if DPD is enabled?

Re: Check Point DPD (Dead Peer Detection) - Questions

Nick_Doropoulos — Tue, 08 Oct 2019 09:57:42 GMT

Yes, there is. You can check with the GuiDBedit tool under Network Objects >> network_objects:

I hope this helps.

Re: Check Point DPD (Dead Peer Detection) - Questions

Ravindra_Katrag — Thu, 31 Oct 2019 14:48:12 GMT

Thank you

Re: Check Point DPD (Dead Peer Detection) - Questions

Nick_Doropoulos — Mon, 04 Nov 2019 14:54:45 GMT

My pleasure!

Re: Check Point DPD (Dead Peer Detection) - Questions

nagaraja_cs — Tue, 05 Nov 2019 12:15:54 GMT

Can we achieve VPN redundancy with 3rd party Gateways by enabling DPD(In R80.10 or R80.20) ?

Re: Check Point DPD (Dead Peer Detection) - Questions

Ted_Serreyn — Mon, 20 Jul 2020 19:08:26 GMT

Can we enable Dead Peer detection on the third party devices only? Or do we have to enable it on the checkpoint gateways also? My understanding is if enabled on the checkpoint gateways it affects all other VPNs?

Re: Check Point DPD (Dead Peer Detection) - Questions

Timothy_Hall — Tue, 21 Jul 2020 04:20:25 GMT

You can set DPD per remote gateway via the tunnel_keepalive_method variable in GUIDBedit as described in this lengthy thread, you don't have to change this value for your Check Point gateway:

https://community.checkpoint.com/t5/Next-Generation-Firewall/Enable-DPD-on-R80-20/m-p/32605

Starting in R81 tunnel_keepalive_method will be set to DPD by default on all Interoperable Device object types.

Re: Check Point DPD (Dead Peer Detection) - Questions

Gavin — Sun, 04 Oct 2020 15:50:19 GMT

Do you know how to capture DPD packets in any way? I could see tunnel test in the logs, but seem to be missing how to spot DPD packets. I can't see them in TCPDUMP as they are encrypted. I would really appreciate some guidance on this. I am working on an AWS VPN issue where I think the tunnels are being shut down regularly and I would like to spot what is going on. I have a TAC case open but every time I ask the question they seem to swerve around it.

Re: Check Point DPD (Dead Peer Detection) - Questions

PhoneBoy — Sun, 04 Oct 2020 16:25:52 GMT

fw monitor should show the packets as they are encrypted/decrypted.

Re: Check Point DPD (Dead Peer Detection) - Questions

Hussien_Wahab — Mon, 16 Jan 2023 11:25:47 GMT

AWS sends "isakmp-nat-keep-alive" packets that are outside the DPD tunnel health monitoring, please see the packets in red (the ones in blue are for the actual DPD that keeps the tunnel status up and alive)