topic Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE in Spark Firewall (SMB)

Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hsanity — Mon, 27 Feb 2023 12:41:26 GMT

Hi,
We have been experiencing an unstable VPN connection at one of our sites. VPN tunnels randomly go down. Looking at the log in the web portal shows "Peer closed connection" and "The peer is no longer responding" between the gateways. We can also see logs like "Informational Exchange Received Delete IPSEC-SA from Peer" coming from the remote gateway. Following is an example of one of the events:

Looking at ike.elg log file indicates towards lots of INVALID-COOKIE before and after phase 1 and phase 2 ike negotiation.

Troubleshooting steps taken:
1. Cross-checked VPN site settings on both ends
2. Delete and recreate VPN sites on both ends
3. Increased WAN bandwidth from ISP

SMB gateway: 1450 Appliance | Version: R77.20.75 (990172321)

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

PhoneBoy — Mon, 27 Feb 2023 23:45:03 GMT

Before spending too much time troubleshooting this, I recommend upgrading to the latest firmware.
The most recent can be obtained from here: https://support.checkpoint.com/results/sk/sk153433

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

the_rock — Mon, 27 Feb 2023 23:53:05 GMT

Make sure "keep ike SAs" in global properties is enabled.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hsanity — Tue, 28 Feb 2023 11:04:52 GMT

We are running our gateways with local management. Is it possible to check and enable "keep ike SAs" without a management server?

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

G_W_Albrecht — Tue, 28 Feb 2023 12:42:50 GMT

Why ? See explanation in sk142355: Enabling this parameter changes the behavior so that the Security Gateway keeps all Phase 1 and Phase 2 keys after a policy installation to work around interoperability issues with 3rd party VPN peers.

I do not see any issue after policy installation mentioned here...

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

G_W_Albrecht — Tue, 28 Feb 2023 12:48:37 GMT

Best next steps:

- upgrade to latest firmware

- if the issue persists contact TAC

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

the_rock — Tue, 28 Feb 2023 14:20:27 GMT

Not that I know of...I believe that option is only available as per below (from smart console):

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hsanity — Tue, 28 Feb 2023 14:52:51 GMT

Thank you. For local management, I found it under Device > Advanced Settings > VPN Site to Site global settings - Keep IKE SA Keys.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

the_rock — Tue, 28 Feb 2023 14:53:56 GMT

Good stuff, learned something new today. So any way to tell if it helps or it may take some time?

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Chris_Atkinson — Tue, 28 Feb 2023 14:57:03 GMT

Are you planning to upgrade to R77.20.87 JHF ?

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hsanity — Tue, 28 Feb 2023 14:58:06 GMT

We are trying with keeping the IKE SAs and observing the tunnel for the next several hours. Finger crossed.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

the_rock — Tue, 28 Feb 2023 14:59:35 GMT

Honestly, even if that works, I would still upgrade to latest version available. It never hurts to do that with these SMB appliances, it can only help.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hsanity — Tue, 28 Feb 2023 15:00:40 GMT

Unfortunately, my user account does not have enough privileges to download the hotfix that @PhoneBoy suggested. Logged a separate support on this. Awaiting response.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

PhoneBoy — Tue, 28 Feb 2023 17:55:03 GMT

Yes, because your account must be associated with a support agreement.
This is required to download most things from UserCenter.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

the_rock — Tue, 28 Feb 2023 18:01:55 GMT

Hey @Hsanity ...any luck with changes made?

Andy

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hsanity — Wed, 01 Mar 2023 07:10:46 GMT

There were still tunnel drops after switching to keep ike SAs. But After upgrading to the latest JHF | fw1_sx_dep_R77_990173120_20.img, haven't had a single tunnel drop in the last 12 hours. This looks promising! But I must say, We have about fifteen other 1450 firewalls that have VPN tunnels to the same central site and this is the only gateway causing issues without the JHF. Thanks so much for the file @the_rock.

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

G_W_Albrecht — Wed, 01 Mar 2023 08:02:11 GMT

As i wrote above: Afaik and refering to sk142355, your issue has nothing to do with Keep IKE SAs...

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Chris_Atkinson — Wed, 01 Mar 2023 09:59:37 GMT

They all need upgrading in that case as R77.20.75 has been End-of-support for almost 3-years already.

Refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/

Re: Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

the_rock — Wed, 01 Mar 2023 10:46:10 GMT

Glad it helped you.