Thank you very much Chris for your help!! Indeed i cheched the value ike_keep_child_sa_interop_devices and i found that it was set to false after the upgrade to R81.10.

We opened a ticket our Contractor in order to arrange a maintenance windows in order to change this value.

I will inform you after the action is completed and if the problem resolved

Hey @Michalis89 

I had an issue that sounds like yours with AWS VPNs in R80.30 and R80.40.  Working with a TAC escalation engineer (and suggestion @Chris_Atkinson  for sk142355), I enabled "keep_IKE_SAs" in the Global Properties "scary place" in that SK.

I also ran a VPN debug at the same time, and see the message in the debug output:

[vpnd .... [29 Mar 18:48:41] CachedObject::istrue: Cache miss: keep_IKE_SAs: true (1)

Good luck!

PS: i call it the "scary place" when I tell customers so they won't go traipsing through it cavalierly 🙂

Hi Duane and Thank you for your reply! I totally agree with you with the "scary place" 😄
We have already enable the option "keep_IKE_SAs" in the Global Properties in order to set the Checkpoint as a DPD responder.

We also make the action that @Chris_Atkinson mentioned and we set the value of ike_keep_child_sa_interop_devices to true but nothing changed. The tunnels towards AWS are not stable.

After a lot of investigation i think that the solution to the problem is to set VTU Tunnels towards AWS. This is the only way to support Active - Backup Site-to-Site VPN tunnels inside the same VPN community.

The only drawback at this solution is that VTI Tunnels supported only from R81 and above. 

AH!  Are you doing it as 'domain-based' VPN or 'route-based' VPN?   My customer AWS VPN is route-based VPN (albeit with static routes).  The interoperable object has a VPN domain with a group object that is empty (no group members).

AWS has the VPN template you can download and follow the config samples in their document.  You have to do their template because when you download it, they supply the local/remote IPv4 addresses for your VPN tunnel CLISH commands.  It'll be 169.254.xxx.yyy

Then do static-route for the remote LAN behind the AWS gateways.  In your security policy, you'll use VPN directional matches for traffic to/from the AWS VPN domain.  In the community, you'll have DPD with Permanent Tunnels.

With this setup, I see in my VPN debug the "DPD_R_U_THERE" and "DPD_ACK" IKE messages.  This is on R80.30, too.

As weird as it seems, the AWS template had the perfect config for it.  I was surprised. 🙂

Hi Duane, we have already done all of the above but with Domain-based VPN.

Unfortunately we have to upgrade to R81 version and higher in order to make this configuration stable for our VSX environment.

Hi,

VTI is supported on R80.X.

And yes, AWS VPNs are normally confiugred with VTI + Routing

Hi Juan,

Based on the below sk(sk79700) for VSX environments the VTI feature is supported from R81 version and later.

VSX supported features (checkpoint.com)

I believe the only solution is to upgrade my gateways to R81.10 and configure the specific Site-to-Site VPN VPN community with VTI and Routed Mode

Oh. VSX.  Yeah that's different. 😞   "add vpn tunnel" is not a CLISH command in VSX (as of R80.40).  You'll need R81+ indeed.