Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
Advisor

after a cluster failover (Cloudguard) the VPN tunnel gets disconnected

We have a vpn tunnel between two cluster, one is a pair of OpenServers and the other Cloudguard in Azure.

For the one on OpenServers the gateways are running R80.40. The gateways in Azure we just updated to R81.10.

Since the upgrade when there is a failover in the Cloudguard cluster, the VPN doesn’t work anymore. A quick fix to get it back seems to be re-installing the policy.

Last time we noticed in SmartView monitor the status of the VPN was Up-Phase1. Anyone seen something like this?

0 Kudos
3 Replies
AaronCP
Advisor

How long does the outage last when you failover? I remember we had similar issues with our CloudGuard cluster on failover, where it would cause up to a 5 minute outage to our on-prem cluster. The failover would eventually complete and the tunnel would re-establish.

 

Did you get this issue when your CloudGuard cluster was running another OS version?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Depending on the Azure API the failover time should be ~ 2 minutes for VPN scenarios.

 

  • Are both clusters under the same management i.e. is either defined as an Interoperable device object?

In R81 and above we changed the tunnel keep alive to DPD by default for 3rd party devices... refer sk108600 scenario 5.

  • Also is keep_IKE_SAs configured?

This property is available under Global Properties -> SmartDashboard Customization -> Advanced Configuration -> VPN advanced properties -> VPN IKE properties.

CCSM R77/R80/ELITE
0 Kudos
flachance
Advisor

So here are some additional details.

We experienced the issue only after upgrading to R81.10.

The participating gateways are two clusters. One is Checkpoint R80.40 running on OpenServers. The other is Checkpoint R81.10 on Cloudguard (Azure).

They are managed by the same management server running R81.10.

The cluster failover happens fairly quickly but as far as I know the VPN tunnel stays down indefinitely. Until we install the Policy which seems to kick in something and make it works.

Keep_IKE_SAs is configured.

I looked at SK108600 scenario 5, should we use DPD over Tunnel_Test even with all members being CheckPoint?

It’s a Meshed VPN tunnel. With the following propertiesvpn1.JPGvpn2.JPGvpn3.JPG

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.