Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kobi_rudy
Explorer

Problem with VPN AMAZON(AWS) ​​CHECK POINT

I have several VPNs against AWS, it happens that at random the traffic falls and come back again .sometimes I have to install policy to make come back again 

it was with 5900 and 80.10 , and now again with a new 6700 and 80.40 

what  I see in the logs:

IKE_NAT_TRAVERSAL Traffic Dropped from aws to cp

"Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found"

and:

"Unknown SPI: 0x8799740b for UDP encapsulated IPsec packet"

 

any idea? cp tech are trying to resolve it for a long time

 

 

 

0 Kudos
Reply
4 Replies
Timothy_Hall
Champion
Champion

Those messages indicate that the Check Point expired or otherwise removed an existing IPSec VPN tunnel, yet the AWS side still thinks it is up and is sending traffic which the Check Point cannot decrypt because the tunnel no longer exists.

I assume you have already seen this SK, as AWS will only allow 2 SPIs:

sk113561: VPN Tunnel to Amazon Web Services (AWS) is unstable

Assuming it is not that, make sure the Phase 1 and Phase 2 SA Lifetimes match *exactly* between the configuration on both sides.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Dale_Lobb
Collaborator

We had a similar issue with Amazon AWS; it was fixed by setting the CheckPoint gateway to respond to DPD packets. 

Check for "DPD responder mode" in sk108600.  You have to turn it on via a ckp_regedit on each gateway of the checkpoint cluster.

 

0 Kudos
Reply
kobi_rudy
Explorer

when you change to "dpd responder mode" do you have to cpstop, cpstart ? did you leave the MTU on 1500 or it changed too?

 

 

0 Kudos
Reply
kobi_rudy
Explorer

cp tech said it wont help since we see on the debug files that we are getting "DPD Hello " from amazon, and cp answers "DPD Ack" but some times we don't get the "DPD Hello" from amazon and than the vpn get a reset  . amazon checked and say they are sending it- so its a mystery why cp does'nt get it ...

0 Kudos
Reply