- CheckMates
- :
- Products
- :
- General Topics
- :
- Problem with VPN AMAZON(AWS) CHECK POINT
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with VPN AMAZON(AWS) CHECK POINT
I have several VPNs against AWS, it happens that at random the traffic falls and come back again .sometimes I have to install policy to make come back again
it was with 5900 and 80.10 , and now again with a new 6700 and 80.40
what I see in the logs:
IKE_NAT_TRAVERSAL Traffic Dropped from aws to cp
"Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found"
and:
"Unknown SPI: 0x8799740b for UDP encapsulated IPsec packet"
any idea? cp tech are trying to resolve it for a long time
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those messages indicate that the Check Point expired or otherwise removed an existing IPSec VPN tunnel, yet the AWS side still thinks it is up and is sending traffic which the Check Point cannot decrypt because the tunnel no longer exists.
I assume you have already seen this SK, as AWS will only allow 2 SPIs:
sk113561: VPN Tunnel to Amazon Web Services (AWS) is unstable
Assuming it is not that, make sure the Phase 1 and Phase 2 SA Lifetimes match *exactly* between the configuration on both sides.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had a similar issue with Amazon AWS; it was fixed by setting the CheckPoint gateway to respond to DPD packets.
Check for "DPD responder mode" in sk108600. You have to turn it on via a ckp_regedit on each gateway of the checkpoint cluster.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when you change to "dpd responder mode" do you have to cpstop, cpstart ? did you leave the MTU on 1500 or it changed too?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cp tech said it wont help since we see on the debug files that we are getting "DPD Hello " from amazon, and cp answers "DPD Ack" but some times we don't get the "DPD Hello" from amazon and than the vpn get a reset . amazon checked and say they are sending it- so its a mystery why cp does'nt get it ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, kobi.
Have you ever solved s2s vpn between AWS and CP?
I wonder.
thank you.