I'm hoping someone relevant in Check Point gets to see this.
On Sunday I upgraded a customer on Open Server from R80.30 to R80.40.
First of all, CPUSE in the WebUI gave me the recommended R80.40 clean install and upgrade package. Verification said that clean install was allowed, but upgrade was not supported. Very odd??? But fine....
The R80.40 with JHFA T77 Blink image said the upgrade was allowed, so I did that instead. All appeared to work.
Testing showed that pretty much everything worked, but VPN's were very unstable. With site-to-site, while the tunnel appeared to remain up (logs showed traffic, and no constant key exchanges), the end user experience was that traffic would briefly work (get a response from the other side of the tunnel), then not work, then work, then not work.... Timings seemed random, but it happened very frequently so it was unusable and unusable.
Remote Access VPN - the customer uses a mix of Capsule VPN and Check Point Mobile. Capsule was rock solid throughout ✔️. Check Point Mobile was horrendously unstable - again completely unusable.
Sadly I don't have any log files etc. from the devices any longer (so pointless raising a SR). With other jobs on the list prior to this I'd been on it for 15 hours - it was 3am and I was tired and hungry so wasn't thinking far enough ahead to collect data. But I noticed that the vpnd.elg file had errors in matching sk164878. Solution 1 didn't work, and solution 2 was a clean install.
I did a clean install of R80.40 from the ISO, configured all the interfaces etc. again, put Take 77 on (because we already know R80.40 on Open Server is not supported without JHFA), installed the policy then test again. Exactly the same thing happened. Everything non VPN related worked fine, but VPN was highly unstable.
There were also some odd things being reported by SNMP, but I wasn't really concerned with that.
There were also some other weird occurrences such as the LAN not being able to get out to the Internet. Reboot the gateway and it would work again for a while, then randomly stop again.
At this point I had 2 hours left until 600 users started logging in. I had to do something drastic. So I installed R80.30 from the ISO. Thankfully (and not surprisingly as they were previously running R80.30 with no issues) everything worked perfectly. All SNMP alerts cleared up too, and the LAN worked flawlessly. I've left them on R80.30 and everything is fine.
I had two weeks of absolute hell with R80.40 on Open Server when it was first released (before there were any JHFA's). Same problems - random VPN instability, and randomly the LAN would stop passing traffic. Very shortly afterwards Check Point pulled support for 80.40 on Open Server while issues were being addressed. After JHFA T25 was released it went 'back on the market' - with T25 supposedly fixing the issues. Well, I can confirm beyond doubt that R80.40 Gateway on Open Server with T77 is still unstable and unusable (R80.40 Management on Open Server seems rock-solid - just the gateway which is flaky). Maybe it's only affecting certain hardware? Both times I've had these issues have been on HP DL360/DL380 hardware. The most recent was DL380 Gen10.
We have R80.40 out there on many flavours of CP appliance and it's rock solid. It's only Open Server gateways that seem to have the problem.
So there's nothing anyone can do, and as I've rolled back to R80.30 and have no log files from the flaky R80.40 there's nothing TAC could do for me now either. I didn't have the time to wait for TAC to fix it - I was really up against the clock, and R80.30 is stable. I just wanted to get this info out there so that Check Point is aware there are still issues, and so that anyone else thinking of going R80.40 Gateway on Open Server at least lab tests it thoroughly on their hardware before putting it into production. It might save you a world of pain.