- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Enable DPD on R80.20
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enable DPD on R80.20
Hi everyone,
I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20 IPsec Tunnel terminated to my cluster firewalls and here is my question:
1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?
and here is the tunnel config:
IKEv1
Phase 1
AES-256
SHA-256
DH:Group5
Renegotiation IKE security 1440 minutes
appreciate if someone can assist me to resolve the issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand the documentation correctly, you can only use one monitoring method (DPD or Tunnel Test) per gateway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dameon,
as far as I know DPD is not enabled on gateways and Keep_IKE-SAs is not checked so what do you suggest ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DPD is not enabled by default, that much I know.
I'll have to confirm my understanding with R&D.
You may also want to check with the TAC as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dameon,
do you have any update from your R&D team? if I enable DPD does it have any impact to existing IPsec tunnels?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify, the setting controls the method the given gateway can be probed by (Tunnel Test or DPD).
A given gateway can be probed by one or the other, not both.
If you configure the remote gateway object to use DPD and the others in the community remain set to Tunnel Test, your gateway will probe the remote gateway with DPD and the others will use Tunnel Test.
Which I think is what you're after.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dameon for your reply
so in this case are the following steps are correct?
1- enable "keep_IKE_SAs " from smart dashboard , global properties , Advanced VPN configuration and then push the policy
2- Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
[Expert@HostName:0]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1
[Expert@HostName:0]# cpstop ; cpstart
or just step 1 is enough?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you need to do both.
That's in addition to setting the tunnel_keepalive_method property in the remote object to dpd, of course.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a similar issue in that our 3rd parties remote gateways intermittently drop because our local peer (gateway) is apparently not responding to DPD requests.
All our 3rd party vpn's are not Checkpoint so to enable our end to respond to DPD requests do we need to edit the peer gateway object in guidbedit and will this require a restart of just the Management station or the gateway as well?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This requires a policy installation on your gateway to take effect and does not require a restart of either the management or gateway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about enabling dpd responder mode only for a single gateway? We had the same intermittent issue where some 3rd party VPN (AWS mostly) drop because our gateway didn't respond to dpd within the last 30s. Looks like dpd responder mode could only be enabled globally and not on a per peer basis.
Thanks
🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I'm wondering about that, too. The site to site VPN guide isn't very clear on exactly what happens, but between that and sk108600, it looks like passive responder mode is universal. Does anyone else concur or know that to be true?
We also have an issue with an AWS cloud based app that has gone down hard twice now in 90 days. Unfortunately, it's a critical app for our business. The provider's VPN support is blaming the fact that we do not have Dead Peer Detection turned on. It looks like a small glitch in connectivity causes the darn AWS VPN gateway to start DPD detection and once it does, it's a slow downward spiral over a couple of hours with more and more SAs being deleted until it finally deletes the IKE keys and shuts up. Once that happens, the AWS gateway has to be reset to restore connectivity.
In talking with my CISCO based peers, it seems that they pretty much automatically enable DPD when configuring a VPN. I think they call it "IKE Keepalives". This might explain some mysterious behavior I've seen over the years when working with CISCO interoperable devices.
Anyway, does anyone know of any gotchas when enabling DPD in either passive or active mode?
And what's with all this hidden configuration stuff? One has to use the registry and edit the database directly using guidbedit or dbedit to set the parameters? That sucks because it's not transparent to future admins.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For Permanent Tunnel the Default mode is "tunnel_test" (Check Point Proprietary). With GuiDBedit or dbedit you can change the mode to either 'dpd' (Active DPD) or 'passive' (Passive DPD).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm. Both sk108600 and the Site to Site VPN Admin Guide only talk about using ckp_regedit on the gateway to enable DPD responder mode and no other requirements are listed. That makes it sound like DPD responder mode is universal. If it still requires a special community and per gateway dbedit to activate, like is mentioned for DPD active mode for permanent tunnels, then that requirement is not apparent from the way the documentation is written. Perhaps the docs need to be updated?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which I assume is similar to "IKE Keepalives" on Cisco.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kamiar,
Is it a Cisco device at remote site?
I have had similar issues but did not end up with enabling DPD.
Instead we changed the rekey time.
Ike policy
Aes256
Sha
DF Gr 5
Rekey 60 min (3600 sec)
Ipsec policy
Aes256
Sha
DF gr 5 (Pfs enabled)
Rekey 3600 sec
This have been running stable ever since with 3rd party equipment like Cisco Asa5505 and asa5506-X.
Kim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On our side this occur with all non Checkpoint VPN remote gateway. All of them are saying the same thing. We are normally responding to "dpd are you there" messages, but sometime we stop responding and after all 3rd party tunnel goes down at the same time.
That being said, last week we enable keep_ike_sa on our global configuration following recommendation from checkpoint support, that change did leverage the issue duration, but didn't help with the frequencies of those outage.
Looks like we still stops responding "dpd are you there" message but most of the time we are answering to it. That still cause us issue... We followed SK100726 for tunnel creation with AWS. We put tunnel_keepalive_method = dpd" in GUIDBEdit for the relevent Gateway. We followed sk108600 to enable keep_ike_sa witch reduce the outage lenght. But still having issues.
I'm wondering enabling dpd responder mode "ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 " will help... but i'm not sure since we are already responding dpd... but not always responding.... witch make the tunnel to flap.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The DPD mode should be enabled on the GW which you want to be tested with DPD.
So, in your case DPD should be enabled on the Cisco device object (in guidbedit), which means that all the tunnels to this Cisco device would be monitored with DPD. Other tunnels from your CP device should not be affected as there should be no change on the CP object. This also requires permanent tunnel to be defined between CP and Cisco.
If you do not want to define a permanent tunnel with the peer you can use forceSendDPDPayload parameter in order to force our GW to declare DPD support. Important to mention that it doesn't mean that we will send DPD, it only means that we will declare our support of DPD and peer will be able to send the DPD packets to us and we will reply them.
Regarding keep_IKE_SAs - we recommend to enable it without any relevance to DPD. It should only be disabled in case it is a security requirement in your organization to clear all the tunnels on policy installation. We are even considering to change the default of this setting to be true in the future versions.
As a part of this discussion we are going to review our decisions regarding DPD declaration, proposal and usage to see if default values can be changed to get a better usability with 3rd parties including public cloud vendors.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a grain of salt : Permanent tunnels are are nice-to-have thing that looks pretty good - but usually, i just need the traffic flow thru S2S VPN to work ! If the VPN peers are not always helpful, you can always have a server from one site ping a server in another site in regular intervals 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob,
I think that the best way to work would be to work with permanent tunnel and DPD defined on Cisco object.
Force send DPD is a temporary parameter and would be reworked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are already running permanent tunnel and dpd defined on the object (keepalivemethod=dpd) and we are getting the result that we are having right now.
I'm trying to find a way to make it work properly.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already with them since almost 2months on this case and still struggling with the issue. We've now just been sent to escalation engineer will see what's happen.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
So to enable dpd in a community, I only have to enable dpd in the object of the peer gateway and not in my security gateway checkpoint?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is correct!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bob81 ,
Would you please update us with the final conclusion of this issue (if you still remember it :))?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
our 3rd part uses Generic Linux server, CentOS 6.9 as the gateway