This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kobi_rudy
Explorer
‎2020-08-10 06:30 AM

Problem with VPN AMAZON(AWS) ​​CHECK POINT

I have several VPNs against AWS, it happens that at random the traffic falls and come back again .sometimes I have to install policy to make come back again 

it was with 5900 and 80.10 , and now again with a new 6700 and 80.40 

what  I see in the logs:

IKE_NAT_TRAVERSAL Traffic Dropped from aws to cp

"Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found"

and:

"Unknown SPI: 0x8799740b for UDP encapsulated IPsec packet"

 

any idea? cp tech are trying to resolve it for a long time

 

 

 

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-08-10 11:16 AM

Those messages indicate that the Check Point expired or otherwise removed an existing IPSec VPN tunnel, yet the AWS side still thinks it is up and is sending traffic which the Check Point cannot decrypt because the tunnel no longer exists.

I assume you have already seen this SK, as AWS will only allow 2 SPIs:

sk113561: VPN Tunnel to Amazon Web Services (AWS) is unstable

Assuming it is not that, make sure the Phase 1 and Phase 2 SA Lifetimes match *exactly* between the configuration on both sides.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Dale_Lobb
Advisor
‎2020-08-10 11:58 AM

We had a similar issue with Amazon AWS; it was fixed by setting the CheckPoint gateway to respond to DPD packets. 

Check for "DPD responder mode" in sk108600.  You have to turn it on via a ckp_regedit on each gateway of the checkpoint cluster.

 

0 Kudos
kobi_rudy
Explorer
‎2020-08-13 03:15 AM
In response to Dale_Lobb

when you change to "dpd responder mode" do you have to cpstop, cpstart ? did you leave the MTU on 1500 or it changed too?

 

 

0 Kudos
kobi_rudy
Explorer
‎2020-08-15 10:07 PM
In response to Dale_Lobb

cp tech said it wont help since we see on the debug files that we are getting "DPD Hello " from amazon, and cp answers "DPD Ack" but some times we don't get the "DPD Hello" from amazon and than the vpn get a reset  . amazon checked and say they are sending it- so its a mystery why cp does'nt get it ...

0 Kudos
Jung_Patrick
Participant
‎2021-10-18 02:08 AM

Hello, kobi.

Have you ever solved s2s vpn between AWS and CP?

I wonder.

 

 thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events