Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kamiar_Sh
Contributor

Enable DPD on R80.20

Hi everyone,

I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20  IPsec Tunnel terminated to my cluster firewalls and here is my question:

1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?

and here is the tunnel config:

IKEv1

Phase 1

AES-256

SHA-256

DH:Group5

Renegotiation IKE security  1440 minutes

appreciate if someone can assist me to resolve the issue

29 Replies
PhoneBoy
Admin
Admin

If I understand the documentation correctly, you can only use one monitoring method (DPD or Tunnel Test) per gateway.

0 Kudos
Kamiar_Sh
Contributor

Hi Dameon,

as far as I know DPD is not enabled on gateways and Keep_IKE-SAs is not checked so what do you suggest ?

0 Kudos
PhoneBoy
Admin
Admin

DPD is not enabled by default, that much I know. 

I'll have to confirm my understanding with R&D.

You may also want to check with the TAC as well. 

How To Open a Case with TAC and/or Account Services

Kamiar_Sh
Contributor

Hi Dameon,

do you have any update from your R&D team? if I enable DPD does it have any impact to existing IPsec tunnels?

0 Kudos
PhoneBoy
Admin
Admin

To clarify, the setting controls the method the given gateway can be probed by (Tunnel Test or DPD).

A given gateway can be probed by one or the other, not both.

If you configure the remote gateway object to use DPD and the others in the community remain set to Tunnel Test, your gateway will probe the remote gateway with DPD and the others will use Tunnel Test.

Which I think is what you're after.

Kamiar_Sh
Contributor

Thanks Dameon for your reply

so in this case are the following steps are correct?

1- enable "keep_IKE_SAs " from smart dashboard , global properties , Advanced VPN configuration and then push the policy

2-  Backup the Check Point Registry:

 [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL  

 [Expert@HostName:0]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 

 [Expert@HostName:0]# cpstop ; cpstart

or just step 1 is enough?

0 Kudos
PhoneBoy
Admin
Admin

I believe you need to do both.

That's in addition to setting the tunnel_keepalive_method property in the remote object to dpd, of course.

Beverley_Cudd
Contributor

We have a similar issue in that our 3rd parties remote gateways intermittently drop because our local peer (gateway) is apparently not responding to DPD requests.

All our 3rd party vpn's are not Checkpoint so to enable our end to respond to DPD requests do we need to edit the peer gateway object in guidbedit and will this require a restart of just the Management station or the gateway as well?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

If a particular gateway requires the use of DPD, then you must use guidbedit to edit the object of the remote gateway that requires it.
This requires a policy installation on your gateway to take effect and does not require a restart of either the management or gateway.
0 Kudos
bob81
Explorer

What about enabling dpd responder mode only for a single gateway? We had the same intermittent issue where some 3rd party VPN (AWS mostly) drop because our gateway didn't respond to dpd within the last 30s. Looks like dpd responder mode could only be enabled globally and not on a per peer basis.

 

Thanks

🙂

 

0 Kudos
Dale_Lobb
Advisor

Yeah, I'm wondering about that, too.  The site to site VPN guide isn't very clear on exactly what happens, but between that and sk108600, it looks like passive responder mode is universal.  Does anyone else concur or know that to be true?

We also have an issue with an AWS cloud based app that has gone down hard twice now in 90 days.  Unfortunately, it's a critical app for our business.  The provider's VPN support is blaming the fact that we do not have Dead Peer Detection turned on.   It looks like a small glitch in connectivity causes the darn AWS VPN gateway to start DPD detection and once it does, it's a slow downward spiral over a couple of hours with more and more SAs being deleted until it finally deletes the IKE keys and shuts up.  Once that happens, the AWS gateway has to be reset to restore connectivity.

In talking with my CISCO based peers, it seems that they pretty much automatically enable DPD when configuring a VPN.  I think they call it "IKE Keepalives".  This might explain some mysterious behavior I've seen over the years when working with CISCO interoperable devices. 

Anyway, does anyone know of any gotchas when enabling DPD in either passive or active mode?

And what's with all this hidden configuration stuff?  One has to use the registry and edit the database directly using guidbedit or dbedit to set the parameters?  That sucks because it's not transparent to future admins.

0 Kudos
PhoneBoy
Admin
Admin

Considering DPD must be enabled per-peer by editing the relevant gateway object and you must explicitly tweak the registry on each gateway doing DPD, I'm pretty sure any sort of DPD is not default.
0 Kudos
Bakher_Khalidi
Explorer

For Permanent Tunnel the Default mode is "tunnel_test" (Check Point Proprietary). With GuiDBedit or dbedit you can change the mode to either 'dpd' (Active DPD) or 'passive' (Passive DPD). 

0 Kudos
PhoneBoy
Admin
Admin

It is enabled per-peer by editing the remote gateway object as described in sk108600,
0 Kudos
Dale_Lobb
Advisor

Hmmm.  Both sk108600 and the Site to Site VPN Admin Guide only talk about using ckp_regedit on the gateway to enable DPD responder mode and no other requirements are listed.  That makes it sound like DPD responder mode is universal.  If it still requires a special community and per gateway dbedit to activate, like is mentioned for DPD active mode for permanent tunnels, then that requirement is not apparent from the way the documentation is written.  Perhaps the docs need to be updated?

 

 

0 Kudos
PhoneBoy
Admin
Admin

I guess the guidbedit is only required if you want a permanent tunnel using DPD.
Which I assume is similar to "IKE Keepalives" on Cisco.
0 Kudos
Kim_Moberg
Advisor

Hi Kamiar,
Is it a Cisco device at remote site?
I have had similar issues but did not end up with enabling DPD.
Instead we changed the rekey time.

Ike policy
Aes256
Sha
DF Gr 5
Rekey 60 min (3600 sec)

Ipsec policy
Aes256
Sha
DF gr 5 (Pfs enabled)
Rekey 3600 sec

This have been running stable ever since with 3rd party equipment like Cisco Asa5505 and asa5506-X.

Best Regards
Kim
0 Kudos
bob81
Explorer

On our side this occur with all non Checkpoint VPN remote gateway. All of them are saying the same thing. We are normally responding to "dpd are you there" messages, but sometime we stop responding and after all 3rd party tunnel goes down at the same time.

That being said, last week we enable keep_ike_sa on our global configuration following recommendation from checkpoint support, that change did leverage the issue duration, but didn't help with the frequencies of those outage.

Looks like we still stops responding "dpd are you there" message but most of the time we are answering to it. That still cause us issue... We followed SK100726 for tunnel creation with AWS. We put tunnel_keepalive_method = dpd" in GUIDBEdit for the relevent Gateway. We followed sk108600 to enable keep_ike_sa witch reduce the outage lenght. But still having issues.

I'm wondering enabling dpd responder mode "ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 " will help... but i'm not sure since we are already responding dpd... but not always responding.... witch make the tunnel to flap.

Thanks!

 

 

 

 

 

0 Kudos
Vitaly_Timofeev
Employee
Employee

The DPD mode should be enabled on the GW which you want to be tested with DPD.

So, in your case DPD should be enabled on the Cisco device object (in guidbedit), which means that all the tunnels to this Cisco device would be monitored with DPD. Other tunnels from your CP device should not be affected as there should be no change on the CP object. This also requires permanent tunnel to be defined between CP and Cisco.

If you do not want to define a permanent tunnel with the peer you can use forceSendDPDPayload parameter in order to force our GW to declare DPD support. Important to mention that it doesn't mean that we will send DPD, it only means that we will declare our support of DPD and peer will be able to send the DPD packets to us and we will reply them.

Regarding keep_IKE_SAs - we recommend to enable it without any relevance to DPD. It should only be disabled in case it is a security requirement in your organization to clear all the tunnels on policy installation. We are even considering to change the default of this setting to be true in the future versions.

As a part of this discussion we are going to review our decisions regarding DPD declaration, proposal and usage to see if default values can be changed to get a better usability with 3rd parties including public cloud vendors.

G_W_Albrecht
Legend
Legend

Just a grain of salt : Permanent tunnels are are nice-to-have thing that looks pretty good - but usually, i just need the traffic flow thru S2S VPN to work ! If the VPN peers are not always helpful, you can always have a server from one site ping a server in another site in regular intervals 😉

CCSE CCTE CCSM SMB Specialist
0 Kudos
bob81
Explorer

@Vitaly Do you think that enabling foreSendDPDPayload could help with our issue? Since our gateway stops responding to dpd and when that occurs we have issues. Also what are the impact of enabling this? Is it something that could be enable on the fly or we should an outside of business hour maintenance?
Thanks 🙂
0 Kudos
Vitaly_Timofeev
Employee
Employee

Hi Bob,

I think that the best way to work would be to work with permanent tunnel and DPD defined on Cisco object.

Force send DPD is a temporary parameter and would be reworked.

0 Kudos
bob81
Explorer

We are already running permanent tunnel and dpd defined on the object (keepalivemethod=dpd) and we are getting the result that we are having right now.

 

I'm trying to find a way to make it work properly.

 

Thanks

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
bob81
Explorer

Already with them since almost 2months on this case and still struggling with the issue. We've now just been sent to escalation engineer will see what's happen.

 

Thanks

0 Kudos
bryanastudillo
Participant

Hello,

 

So to enable dpd in a community, I only have to enable dpd in the object of the peer gateway and not in my security gateway checkpoint?

0 Kudos
Bakher_Khalidi
Explorer

That is correct!

0 Kudos
hazemshoeib
Explorer

Hi @bob81 ,

Would you please update us with the final conclusion of this issue (if you still remember it :))?

0 Kudos
Kamiar_Sh
Contributor

our 3rd part uses Generic Linux server, CentOS 6.9 as the gateway

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events