Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luigi_Vezzoso1
Collaborator

IPSec VPN between CP1430 e CP3200 Drops randomly

Hi Mates,

I have a lot of issue with a complex architecture composed by a couple of gateways CP3200 (in a clusterXL configuration) connected via VPN  to many CP1430 (#40) remote gateway CP1430. Other notes: the remote gateway are behind layer-3 NAT device. the provider router NAT all necessary ports to the gateway external IP. In addition the remote gateways have two ISP connection.

The remote gateway are defined into the management as external managed gateway (they are managed from the Local WebUI)

The VPNs are fine and we can establish correctly the tunnels but we face with randomically tunnel dustruption and not always the tunnels comes up automatically in short time...

How can we debug this random disruption?
We already configure the permanent tunnels and tunnel test
what parameter/variable can cause the service disruption?


Best Regards##

19 Replies
Danny
Champion Champion
Champion

How to debug VPN issues on Security Gateway 80 / 600 / 700 / 1100 / 1200R / 1400 appliances

How to run complete VPN debug on Security Gateway to troubleshoot VPN issues?

How to generate a valid VPN debug, IKE debug and FW Monitor

Debugging Site-to-Site VPN

Are you using R80.10 with the included Multi-Core VPN hotfix?

Are you using HA or LS ClusterXL mode?

Why did you decide to locally manage the 1400 appliances?

Are you using certificate based VPN or pre-shared key?

Which 1400 firmware are you using?

Does the external IP address of the NAT gateway change or is is static?

How are the 1400 appliances configured in SmartDashboard (Dynamic IP or static)?

I general what you experience is very typical for SMB appliances behind NAT devices trying to mimic permanent functionalities as if they were enterprise firewalls, which they are not. Try to get the external IP address onto the 1400's WAN interfaces and you'll experience much better VPN stabilities.

Luigi_Vezzoso1
Collaborator

Hi,

  • we still use the R77.30 on the HQ and R77.20.80 (990172392) on the remote Site
  • the remote sites are standalone appliances!! Only the HQ is in ClusterXL
  • we are using Local Management on remote sites because we had some issue managing them centrally from their external public IPs.
  • the VPN are made using pre-shared key
  • external router IPs are static
  • in the SmartDashboard the 1400 appliances are configured in  as static with multiple internet links

Best regards

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Managing the 1430 remote gateways locally weakens them a lot, so to speak - this is not a good decision, and buying 730s instead would have also been half the price...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator

Hi,

why are you saying that using local management weak them a lot? can you elaborate a bit more?

Best Regards

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yes - you have a lot of them, some examples:

- very limited rulebase (compared to Dashboard)

- no granular IPS comfiguration is possible (same is true of other TP config details)

- no 'bypass' or 'whitelist' rules for https inspection

- no Inbound HTTPS Inspection

- no MEP is possible

- limitations on the number of S2S tunnels

And yes, you pay double the price for the same features...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Luigi_Vezzoso1
Collaborator

tks. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Another fact is that 14x0 SMBs managed by a CP SMS are using two processor cores, but if managed locally, only one core is used.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator

? why the management mode has impact on the core usage? Where I can find those kind of information/limitation on checkpoint documentation?

0 Kudos
Jerry
Mentor
Mentor

touch $FWDIR/conf/masters

vi $FWDIR/conf/masters

[Policy]
SMS1 (in case there are  2?)
SMS2

[Log]
LOG1 (Log server or SMS IP?)

LOG2

[Alert]
SMS1 etc.

[Backup]
SMS1 etc

cat $FWDIR/conf/masters

chattr +i $FWDIR/conf/masters
or chattr -i $FWDIR/conf/masters

have you got that set on your Remote Gateway(s) ?

Jerry
0 Kudos
Luigi_Vezzoso1
Collaborator

Hi,

I thint those setting are used only for Central Managed gateways. Isn't it?

0 Kudos
Jerry
Mentor
Mentor

correct sorry if I misleaded you yes you’re right

Jerry
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Are the remote GWs at least logging to the central SMS ? Then you could see logs that point to the reason of the issue. Debugs are difficult if the issue only appears randomly and can not be replicated in a short time span.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator

Other usefull information.... on the IKE Debug I found:

Vendor ID Payload

Next Payload: NONE
Reserved: 0
Length: 00 14 (20)

VID Data:
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2
d3

Vendor: FRAGMENTATION

anyone know what is this message?

tks

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Sorry, no idea.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator

Just to be sure:

how I should define the external managed object on the smartdashboard? Should I put the PublicIP or the private (WAN) IP on the "General" field of the object?

Ho the tunneltest is impacted by the object definition?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This can all be found in Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.80.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator

I have configured them Locally Managed..... and I configure them on smart dashboard as external managed checkpoint gateways....

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Sorry, but i can not understand that - paying for a centrally managed device and using it as a crippled locally managed one...

Some of the differences managed/unmanaged are listed in sk105380 Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 Appliance Features and Known Limi....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
MartinZ
Contributor

@Luigi_Vezzoso1we are seeing the same issue. Did you ever resolve this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events