topic Re: Site to Site VPN frequently UP and DOWN issues in Spark Firewall (SMB)

Site to Site VPN frequently UP and DOWN issues

pyiephyohtay — Fri, 22 Dec 2023 09:23:47 GMT

Dear Members,

Currently, I have a Site-to-Site VPN connecting the HQ site, which utilizes a Checkpoint Quantum Spark 1550 appliance, to the Branch site,which employs a Palo Alto 220. Phase 1 lifetime set 8 hour in both and Phase 2 lifetime set 1 hour in both firewalls.

The tunnel is up and running, but during a recent blackout at the HQ site that lasted for an hour, the VPN tunnel went down. Once power was restored, the VPN tunnel reestablished itself. However, a new problem emerged - after a few minutes, the tunnel began going down and up frequently.

To address this issue, I attempted to clean both Phase 1 and Phase 2 from the HQ site (using Checkpoint) by using the CLI command "vpn tunnelutil 0." After executing this command, the tunnel remained stable for the entire day.

I am uncertain whether this is beyond my knowledge of both firewalls for troubleshooting. The UDP timeout session for both firewalls is set to 30 seconds. How can I resolve these issues without resorting to running the CLI command "vpn tunnelutil 0"? This is crucial as blackouts occur four times a day in our country.

Please, could you kindly help me with these issues?

Re: Site to Site VPN frequently UP and DOWN issues

G_W_Albrecht — Fri, 22 Dec 2023 09:45:34 GMT

I would suggest to contact CP TAC to get help !

Re: Site to Site VPN frequently UP and DOWN issues

pyiephyohtay — Fri, 22 Dec 2023 09:54:46 GMT

Dear Albercht,

Thanks for your suggestion bro.

Re: Site to Site VPN frequently UP and DOWN issues

G_W_Albrecht — Fri, 22 Dec 2023 11:23:53 GMT

A blackout should not change anything in VPN configuration on flash-based SMBs so i think this could rather be some configuration issue.

Re: Site to Site VPN frequently UP and DOWN issues

the_rock — Fri, 22 Dec 2023 19:40:30 GMT

Is SMB locally or centrally managed? I would also contact TAC for this, but maybe before you do, upgrade SMB appliance to the latest firmware, as Im sure that will be siggested.

Make sure in smart console, when you go to blobal properties -> advanced -> configure -> vpn -> ike, keep ike SAs is enabled

I would also check below

Best,

Andy

Re: Site to Site VPN frequently UP and DOWN issues

pyiephyohtay — Tue, 26 Dec 2023 14:36:00 GMT

Dear The Rock,

It's locally managed and current version is latest.

As I understand it, Tunnel Health Monitoring, specifically the 'Tunnel Test' (Checkpoint Proprietary), is employed when both sides of the firewall are Checkpoint. My current design, however, involves a connection from Checkpoint to Palo Alto. Is my understanding correct, and is this why I am utilizing the 'Tunnel Test'?

Should i also contact TCA for this?

Re: Site to Site VPN frequently UP and DOWN issues

the_rock — Tue, 26 Dec 2023 14:40:47 GMT

I think if you call them and do remote, hope they would be able to help.

Best,

Andy

Re: Site to Site VPN frequently UP and DOWN issues

pyiephyohtay — Tue, 26 Dec 2023 14:49:14 GMT

Exactly bro, Coz i have another site to site VPN from HQ site to Azure tunnel is stable, even when the HQ to Branch site VPN happen up down issues, So, Maybe i was mis configuration for that then i tried to triple check the both firewall but still not ok.

Re: Site to Site VPN frequently UP and DOWN issues

pyiephyohtay — Tue, 26 Dec 2023 14:51:35 GMT

Yes bro that is the only way to solve for the issues.😄

Thanks for the help me to answer bro.