This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TINTIN8
Contributor
‎2025-04-16 04:55 PM
Jump to solution

Identify VPN downtimes or re-establishments

Hi Gurus,

Is there any way to identify VPN disconnections/re-establishments looking at the log server logs?

 

Ex—we get logs like"Child SA exchange: Exchange failed: timeout reached," but we're not sure what the logs mean. Can we identify, looking at the logs, that the VPN tunnel went down "this" time and reconnected "this" time, etc.?

Our partners say your tunnel went down during a "time period," but we can't really check our logs and determine what happened to the VPN tunnel. Did it go down? What time did it re-establish?

Any help to clear this is highly appreciated.

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-04-16 06:22 PM
Jump to solution

The only thing that generally can be found in logs is establishment (eg key install).

In R82, you can create monitoring objects that I presume will give you some indication when the VPN goes down. 

View solution in original post

the_rock
Legend
Legend
‎2025-04-17 04:35 AM
In response to TINTIN8
Jump to solution

I attached short video of what @PhoneBoy was referring to, but, keep in mind, this is ONLY available if gateway is on R82.

Andy

View solution in original post

Preview file
2489 KB
(1)
9 Replies
the_rock
Legend
Legend
‎2025-04-16 05:12 PM
Jump to solution

The best way I found to do this is look for "key install" in the logs.

Andy

0 Kudos
TINTIN8
Contributor
‎2025-04-16 05:18 PM
In response to the_rock
Jump to solution

Thanks @the_rock . However, this doesn't tell me what time the tunnel went down. I can see the Key install when the VPN gets re-established, but it still won't tell me what time it went down/disconnected, or was it in some kind of idle state.

0 Kudos
the_rock
Legend
Legend
‎2025-04-16 05:27 PM
In response to TINTIN8
Jump to solution

From my experience, whenever I would see those in the logs, it was sure sign tunnel was down or would get re-established.

I will double check in the lab tomorrow.

Andy

0 Kudos
TINTIN8
Contributor
‎2025-04-16 08:35 PM
In response to the_rock
Jump to solution

thank you so much @the_rock !!!

0 Kudos
the_rock
Legend
Legend
‎2025-04-16 08:47 PM
In response to TINTIN8
Jump to solution

No problem.

0 Kudos
the_rock
Legend
Legend
‎2025-04-17 04:35 AM
In response to TINTIN8
Jump to solution

I attached short video of what @PhoneBoy was referring to, but, keep in mind, this is ONLY available if gateway is on R82.

Andy

Preview file
2489 KB
(1)
G_W_Albrecht
Legend Legend
Legend
‎2025-04-17 04:21 AM
In response to TINTIN8
Jump to solution

If you have enabled Permanent Tunnels, you see Key Install only after tunnel was down or during renegotiation (controlled by the parameters you set).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-16 06:22 PM
Jump to solution

The only thing that generally can be found in logs is establishment (eg key install).

In R82, you can create monitoring objects that I presume will give you some indication when the VPN goes down. 

Nüüül
Advisor
Advisor
‎2025-04-16 11:05 PM
Jump to solution

Do you have some kind of monitoring over your firewall? there is an snmp oid for tunnel state - so you could use that.

oid 1.3.6.1.4.1.2620.500.9002
kind table

 

from snmp-mib (https://support.checkpoint.com/results/sk/sk90470)
      tunnelState OBJECT-TYPE
            SYNTAX  INTEGER {
                          active(3),
                          destroy(4),
                          idle(129),
                          phase1(130),
                          down(131),
                          init(132)
             		}

for some reason my lab-gw sends tunnelstate as non-integer values (strings), but value is the same:

 

 

Preview file
52 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events