@Duane_Toler 

Thank you for your feedback. As mentioned in the description, we are currently managing a Check Point cluster configured for High Availability (HA) with two members, so we are using Active-Standby mode, not Active-Active.

Thanks again for your assistance!

Can you make a quick diagram of your topology?  Depending on how you have interfaces configured and connected, this may (or may not) be part of your issue.  My suspicion is that you are losing path reachability, or peer adjacency, during a failover and you need to use something like BGP between your gateways and ISP routers.  A quick diagram will help answer that with more certainty.

this is a quick diagramm of the cluster

This indicates your firewall external interfaces are directly-connected to their own ISP router.  This will break ClusterXL across the external interfaces.  Do you have a switch that is connecting the eth0 interfaces together, along with the router interior interfaces?

This is correct, the firewalls are directly connected to the ISP Routers, and that is also what i wanted to know, a best practice for this kind of setup where we have no switch between the ISP Routers and the firewalls.

So this means you did not configure your eth0 as a "cluster" interface type?  This is why you are having issues.  Add a switch between the firewalls and routers so everything is on the same layer2 segment.  One of your interface IPs will have to change as well as one of the ISP router interior interfaces.  If you have 2 /30 segments, then your ISP needs to assign you a single /29 for all of them.  Define eth0 as cluster type and give it a VIP.

If you're in need of BGP, then have the ISP routers peer with the cluster VIP, not each individual member.  However, each of your cluster members will need to peer with each ISP router.

Important items to include with BGP:

1. BOTH cluster members MUST be the same router-id (the cluster is presenting as the RID)

2. BOTH cluster members MUST be the same BGP ASN (the cluster is presenting as the ASN)

3. BOTH cluster members MUST have the same routemap configuration (same routing policies)

Thank you for your detailed response and questions. Here are the specifics based on your queries:

• The Site-to-Site VPN stops working immediately, even if I run cpstop on the standby member, so it does not appear to be directly related to the cluster joining after a reboot.

To answer your questions:

1. We are using IKEv1. This is a Site-to-Site VPN between two Check Point clusters, both managed by the same management server.

2. No, installing the policy (even a full install) does not affect the VPN; the connections remain stable during policy installations.

3. Yes, the checkbox "keep_IKE_SAs" is checked under Global Properties > Advanced > Configure > VPN Advanced Properties > VPN IKE Properties.

4. Collecting logs has been challenging because these are both production environments. When the issue occurs, I usually need to apply the workaround immediately (vpn tu) to restore the connection, so I haven’t been able to capture logs during the failure. I will try to arrange a maintenance window, run VPN debug, and replicate the issue to gather more detailed logs.

I appreciate your assistance and will look into arranging the debug session to provide more insights.

Thanks again for your help!

I don't have an answer, i just want to say i have the same issue and have for years across multiple versions.  Environment is 8 locations, each with an active\standby cluster and all locations belong to the same "meshed" VPN community - all are currently r81.20 on the latest HFA.  We've just built the vpn tu \ 0 into all maint operations that require either the transfer of active\standby roles, or the reboot of the standby.

A perfect example of this issue:  Let's say I'm going to apply an HFA to the standby member - start the HFA, when that HFA install gets to ~16% complete, something triggers in the install process, probably a cpstop, which causes all the tunnels on the ACTIVE member to go down.  An immediate vpn tu\0 brings those tunnels immediately back up.  

It also happens often when we do simple role changes with the clusterXL_admin command.

So...if you ever get a resolution to this issue, please post back here.

thanks

do you have a similar topology as i posted in the comments before? are your cluster members also directly connected to the ISP Routers?

not really.  In our case, both gateways are directly connected to the same L2 chassis switch.  Our ISP delivers their fiber circuit via the LEC's fiber, so we have a ciena ethernet delivery switch on prem which is directly connected to the same L2 switch as the gateways. The ISP routers could be as far as 20-30 miles away from our facility.

These issues often are due to underlying layer2 configurations (usually STP issues) and/or lack of layer3 routing or peering with upstream devices.  I've seen delayed routing convergence when using VRRP for clustering.

For layer2, you'll need to use either stacked switches (shared control planes) to avoid STP blocked ports.  Interconnecting two switches is inviting trouble (STP).  I never suggest this scenario (unless you have a LAN-based stacking such as Cisco StackWise Virtual or Arista's virtual MLAG).

For layer3, the 3rd party BGP peer should be peering with the cluster's VIP, not individual members.  This WILL cause convergence delay.  Peering with the VIP will ensure ClusterXL is synchronizing the FIB between members (CXL runs a FIBMGR process for this purpose).

During failover and routing re-convergence, the standby member first converts all FIB routes to "Kernel Remnant" routes (routing code K) until convergence is complete. Once convergence completes, the routes return to their original routing code for the appropriate routing protocol.

If you're using multicast mode, then you may run into issues with the peer layer3 devices that don't work with a unicast IP mapped to a multicast MAC. The default and preferred cluster mode is Unicast anyway for this reason.

Hopefully one of these items helps with your issues.

Sounds a lot like the following, although this was supposed to be fixed a long time ago:

sk170055: Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cl...

The SK has precious few details about the cause, but does mention sending of Tunnel Test packets.  @D_TK do you have Permanent Tunnels set?  If so it might be interesting to disable it and see if that changes the behavior.

Thanks Tim - that SK looks right on point regarding the instances when it happens during patching or rebooting the standby.  I'll disable perm tunnels and push the next time we enter a patch window which will hopefully be soon as i'd lke to get take 79 installed before we hit lock down.  thanks

Let us know how it goes @D_TK.  You may want your Check Point SE to take a look at that SK's hidden notes to ensure Permanent Tunnels is actually the culprit, what I posted was just an educated guess.

Thank you for pointing that out. Our cluster is currently running R81.20 with JHF Take 70, which is higher than the fix mentioned in SK170055. According to the SK, this issue was resolved in R81.20 starting from Take 43, so our environment should already include the fix.

We have had the "Permanent Tunnel" setting enabled in our configuration. I disabled it and tested again, but unfortunately, the VPN still goes down when running cpstop on the standby member. This behavior persists, so it doesn’t seem directly related to the issue described in the SK.

Thanks for your suggestion—this does seem like a similar issue, but based on the information and testing, it doesn’t appear to be the exact cause of our problem.

Appreciate your help

As I said in my other reply, there may be hidden notes for that SK that may be helpful since this issue looks so similar.  Your Check Point SE should be able to get access to those notes.