This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luigi_Vezzoso1
Collaborator
‎2018-08-30 01:30 AM

IPSec VPN between CP1430 e CP3200 Drops randomly

Hi Mates,

I have a lot of issue with a complex architecture composed by a couple of gateways CP3200 (in a clusterXL configuration) connected via VPN  to many CP1430 (#40) remote gateway CP1430. Other notes: the remote gateway are behind layer-3 NAT device. the provider router NAT all necessary ports to the gateway external IP. In addition the remote gateways have two ISP connection.

The remote gateway are defined into the management as external managed gateway (they are managed from the Local WebUI)

The VPNs are fine and we can establish correctly the tunnels but we face with randomically tunnel dustruption and not always the tunnels comes up automatically in short time...

How can we debug this random disruption?
We already configure the permanent tunnels and tunnel test
what parameter/variable can cause the service disruption?


Best Regards##

19 Replies
Danny
MVP Gold
MVP Gold
‎2018-08-30 01:51 AM

How to debug VPN issues on Security Gateway 80 / 600 / 700 / 1100 / 1200R / 1400 appliances

How to run complete VPN debug on Security Gateway to troubleshoot VPN issues?

How to generate a valid VPN debug, IKE debug and FW Monitor

Debugging Site-to-Site VPN

Are you using R80.10 with the included Multi-Core VPN hotfix?

Are you using HA or LS ClusterXL mode?

Why did you decide to locally manage the 1400 appliances?

Are you using certificate based VPN or pre-shared key?

Which 1400 firmware are you using?

Does the external IP address of the NAT gateway change or is is static?

How are the 1400 appliances configured in SmartDashboard (Dynamic IP or static)?

I general what you experience is very typical for SMB appliances behind NAT devices trying to mimic permanent functionalities as if they were enterprise firewalls, which they are not. Try to get the external IP address onto the 1400's WAN interfaces and you'll experience much better VPN stabilities.

Luigi_Vezzoso1
Collaborator
‎2018-08-30 06:18 AM
In response to Danny

Hi,

  • we still use the R77.30 on the HQ and R77.20.80 (990172392) on the remote Site
  • the remote sites are standalone appliances!! Only the HQ is in ClusterXL
  • we are using Local Management on remote sites because we had some issue managing them centrally from their external public IPs.
  • the VPN are made using pre-shared key
  • external router IPs are static
  • in the SmartDashboard the 1400 appliances are configured in  as static with multiple internet links

Best regards

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-30 02:29 AM

Managing the 1430 remote gateways locally weakens them a lot, so to speak - this is not a good decision, and buying 730s instead would have also been half the price...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2018-08-30 06:20 AM
In response to G_W_Albrecht

Hi,

why are you saying that using local management weak them a lot? can you elaborate a bit more?

Best Regards

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-30 06:53 AM
In response to Luigi_Vezzoso1

Yes - you have a lot of them, some examples:

- very limited rulebase (compared to Dashboard)

- no granular IPS comfiguration is possible (same is true of other TP config details)

- no 'bypass' or 'whitelist' rules for https inspection

- no Inbound HTTPS Inspection

- no MEP is possible

- limitations on the number of S2S tunnels

And yes, you pay double the price for the same features...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Luigi_Vezzoso1
Collaborator
‎2018-08-30 08:12 AM
In response to G_W_Albrecht

tks. 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-09-03 04:00 AM
In response to G_W_Albrecht

Another fact is that 14x0 SMBs managed by a CP SMS are using two processor cores, but if managed locally, only one core is used.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2018-09-06 05:58 AM
In response to G_W_Albrecht

? why the management mode has impact on the core usage? Where I can find those kind of information/limitation on checkpoint documentation?

0 Kudos
Jerry
Mentor
Mentor
‎2018-08-30 04:59 AM

touch $FWDIR/conf/masters

vi $FWDIR/conf/masters

[Policy]
SMS1 (in case there are  2?)
SMS2

[Log]
LOG1 (Log server or SMS IP?)

LOG2

[Alert]
SMS1 etc.

[Backup]
SMS1 etc

cat $FWDIR/conf/masters

chattr +i $FWDIR/conf/masters
or chattr -i $FWDIR/conf/masters

have you got that set on your Remote Gateway(s) ?

Jerry
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2018-08-30 06:21 AM
In response to Jerry

Hi,

I thint those setting are used only for Central Managed gateways. Isn't it?

0 Kudos
Jerry
Mentor
Mentor
‎2018-08-30 06:35 AM
In response to Luigi_Vezzoso1

correct sorry if I misleaded you yes you’re right

Jerry
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-31 12:42 AM

Are the remote GWs at least logging to the central SMS ? Then you could see logs that point to the reason of the issue. Debugs are difficult if the issue only appears randomly and can not be replicated in a short time span.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2018-09-03 05:08 AM

Other usefull information.... on the IKE Debug I found:

Vendor ID Payload

Next Payload: NONE
Reserved: 0
Length: 00 14 (20)

VID Data:
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2
d3

Vendor: FRAGMENTATION

anyone know what is this message?

tks

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-09-06 06:18 AM
In response to Luigi_Vezzoso1

Sorry, no idea.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2018-09-06 05:50 AM

Just to be sure:

how I should define the external managed object on the smartdashboard? Should I put the PublicIP or the private (WAN) IP on the "General" field of the object?

Ho the tunneltest is impacted by the object definition?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-09-06 06:17 AM
In response to Luigi_Vezzoso1

This can all be found in Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.80.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2018-09-06 06:22 AM
In response to G_W_Albrecht

I have configured them Locally Managed..... and I configure them on smart dashboard as external managed checkpoint gateways....

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-09-06 06:50 AM
In response to Luigi_Vezzoso1

Sorry, but i can not understand that - paying for a centrally managed device and using it as a crippled locally managed one...

Some of the differences managed/unmanaged are listed in sk105380 Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 Appliance Features and Known Limi....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
MartinZ
Contributor
‎2020-07-01 08:46 AM
In response to G_W_Albrecht

@Luigi_Vezzoso1we are seeing the same issue. Did you ever resolve this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events