topic Re: Problems enabling DPD for Centrally Managed 1450 SMB Gateway in Spark Firewall (SMB)

Problems enabling DPD for Centrally Managed 1450 SMB Gateway

Aidan_Luby — Fri, 01 May 2020 16:15:47 GMT

Has anyone successfully been able to get Dead Peer Detection in any mode working on a centrally managed SMB gateway? We just installed FortiGates in our core to terminate the VPNs from our branch CheckPoints (1120s/1450s) and I noticed no matter what settings I use in GUIDBEdit to turn Dead Peer Detection on with permanent tunnels, the 1450 still just constantly sends Tunnel_Test keepalives which the FortiGate Drops.

I have looked at sk131292 and opened a TAC case based on it but the engineer either though this couldn't be done or it should be contained in newer hotfixes. I'm currently on the newest hotfix R77.20.87.

I do see that it says it's a resolved issue in R77.20.70 as well https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120473

I just want to do whatever I can to get this tunnel stable, I've tried changing the FortiGate IKE parameters to subnet mode, tried changing the CheckPoint to tunnel sharing Per Gateway, Per Subnet, Per Host, I've tried permanent tunnels off, I've tried DPD in every setting on the FortiGate side, I've tried using GUIDBEdit to change the tunnel keepalive mechanism on the 1450 between tunnel_test, passive and DPD but in any mode it just sends tunnel tests on port 18264.

I see the FortiGate keeps sending IPSEC-SA deletes constantly and Dead Peer Detection is what I keep coming back to so both sides agree on how to handle these.

Re: Problems enabling DPD for Centrally Managed 1450 SMB Gateway

PhoneBoy — Fri, 01 May 2020 19:13:04 GMT

Not sure if this option exists in a centrally managed configuration, but:

Re: Problems enabling DPD for Centrally Managed 1450 SMB Gateway

Aidan_Luby — Fri, 01 May 2020 19:24:20 GMT

Well I think this would be the equivalent GuiDBEdit setting and I've tried it true and false (although I can't really tell if Centrally Managed SMB gateways pay attention to GUIDBEdit settings)

Also most of the advanced settings in the Gaia Embedded Web Gui seem to be hidden when it's Centrally Managed mode, this is all I see:

I've tried editing the equivalent advanced settings in clish but I can't tell if most of those settings are support when it's centrally managed either, especially since in Centrally Managed mode a lot of the clish functionality you'd get in Locally Managed mode to do with VPNs does nothing.

Re: Problems enabling DPD for Centrally Managed 1450 SMB Gateway

PhoneBoy — Fri, 01 May 2020 19:40:12 GMT

sk131292 suggests there's a hotfix for this that is integrated into R77.20.80.
However, the settings it tells you to enable in the UI are only relevant when locally managed.
Which suggests it's probably possible for centrally managed, but we need to enable the right options.
A TAC case may be required here.

Re: Problems enabling DPD for Centrally Managed 1450 SMB Gateway

HristoGrigorov — Sat, 02 May 2020 03:34:45 GMT

Have you changed this setting:

Re: Problems enabling DPD for Centrally Managed 1450 SMB Gateway

Aidan_Luby — Mon, 04 May 2020 15:41:53 GMT

Yes "I've tried using GUIDBEdit to change the tunnel keepalive mechanism on the 1450 between tunnel_test, passive and DPD but in any mode it just sends tunnel tests on port 18264." I've then saved the change and pushed policy any time I've made GUIDBEdit changes too.