This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marcel_Gramalla
Advisor
‎2019-03-21 02:13 AM
Jump to solution

Check Point DPD (Dead Peer Detection) - Questions

Hi all,

I have two questions regarding the Dead Peer Detection between our Check Point Cluster and other existing VPN connections to non-Check Point Gateways.

1. Does enabling DPD (Responder Mode) has any impact on existing VPN connections? Can I enable it "on-the-fly" without having any disconnects to the VPN? I haven't found an answer on that yet.

2. If I change a VPN community with non-Check Point Gateways to "Permanent Tunnels" in order to active DPD with GuiDBedit does this have any impact on existing connections?

 

Thanks in advance for any help

0 Kudos
1 Solution

Accepted Solutions
Nick_Doropoulos
Advisor
‎2019-10-08 02:57 AM
In response to Ravindra_Katrag
Jump to solution

Yes, there is. You can check with the GuiDBedit tool under Network Objects >> network_objects:

 

DPD.PNG

 

I hope this helps.

View solution in original post

13 Replies
Jerry
Mentor
Mentor
‎2019-03-21 02:17 AM
Jump to solution

quickly though:

Ad.1 - it will re-estab SA/SPI indeed
Ad.2. - it will re-estab the tunnel

ps. any changes to the proxy-id or any crypt.conf params will re-key and re-estab SA/SPI
Jerry
Marcel_Gramalla
Advisor
‎2019-03-21 02:33 AM
In response to Jerry
Jump to solution

Thanks for the quick reply. That means that we have to announce it so that if there is any issue our partners know about it.
Jerry
Mentor
Mentor
‎2019-03-21 02:41 AM
In response to Marcel_Gramalla
Jump to solution

it will in 100% impact/affect an existing tunnel(s) so yes, that should be announced and planed for so called "maintenance window" 🙂

cheers
Jerry
Ravindra_Katrag
Contributor
‎2019-09-11 09:07 AM
In response to Jerry
Jump to solution

Is there any way to check if DPD is enabled?

0 Kudos
Nick_Doropoulos
Advisor
‎2019-10-08 02:57 AM
In response to Ravindra_Katrag
Jump to solution

Yes, there is. You can check with the GuiDBedit tool under Network Objects >> network_objects:

 

DPD.PNG

 

I hope this helps.

Ravindra_Katrag
Contributor
‎2019-10-31 07:48 AM
In response to Nick_Doropoulos
Jump to solution

Thank you

0 Kudos
Nick_Doropoulos
Advisor
‎2019-11-04 06:54 AM
In response to Ravindra_Katrag
Jump to solution

My pleasure!

0 Kudos
nagaraja_cs
Contributor
‎2019-11-05 04:14 AM
In response to Nick_Doropoulos
Jump to solution

Can we achieve VPN redundancy with 3rd party Gateways by enabling DPD(In R80.10 or R80.20) ?

 

0 Kudos
Ted_Serreyn
Collaborator
‎2020-07-20 12:08 PM
Jump to solution

Can we enable Dead Peer detection on the third party devices only?  Or do we have to enable it on the checkpoint gateways also? My understanding is if enabled on the checkpoint gateways it affects all other VPNs?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-07-20 09:19 PM
In response to Ted_Serreyn
Jump to solution

You can set DPD per remote gateway via the tunnel_keepalive_method variable in GUIDBedit as described in this lengthy thread, you don't have to change this value for your Check Point gateway:

https://community.checkpoint.com/t5/Next-Generation-Firewall/Enable-DPD-on-R80-20/m-p/32605

Starting in R81 tunnel_keepalive_method will be set to DPD by default on all Interoperable Device object types.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Gavin
Explorer
‎2020-10-04 08:50 AM
In response to Timothy_Hall
Jump to solution

Do you know how to capture DPD packets in any way? I could see tunnel test in the logs, but seem to be missing how to spot DPD packets. I can't see them in TCPDUMP as they are encrypted. I would really appreciate some guidance on this. I am working on an AWS VPN issue where I think the tunnels are being shut down regularly and I would like to spot what is going on. I have a TAC case open but every time I ask the question they seem to swerve around it.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-04 09:25 AM
In response to Gavin
Jump to solution

fw monitor should show the packets as they are encrypted/decrypted.

0 Kudos
Hussien_Wahab
Employee
Employee
‎2023-01-16 03:25 AM
In response to Gavin
Jump to solution

Hussien_Wahab_0-1673868297596.png

AWS sends "isakmp-nat-keep-alive" packets that are outside the DPD tunnel health monitoring, please see the packets in red (the ones in blue are for the actual DPD that keeps the tunnel status up and alive)

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events