This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Contributor
Thursday

S2S VPN DOWN When?

Hi All

is it possible to know exactly when a vpn went down? are we talking about an s2s vpn? is there a command that can help?

0 Kudos
4 Replies
Lesley
Mentor Mentor
Mentor
Thursday

Maybe this helps:

vpn tu tlist

But it is a difficult question, because if the tunnel is ''up'' with p1 p2 it still can be that for the user the tunnel is not working. 

Or a part of the tunnel works and other part does not work (if you have more subnets in one tunnel). 

You can check the firewall logs and check for logs from local enc domain towards remote and the other way around. Good indication is also to check logs from and towards remote peer IP. 

Tunnel config also has p1 and p2 timers, most of the time if timer is reached new p2 or p1 is created. 

In R82 you can configure VPN probes, those are hosts that you ping via the tunnel to check the status. Check it here:

https://support.checkpoint.com/results/sk/sk181994

-------
If you like this post please give a thumbs up(kudo)! 🙂
Timothy_Hall
Legend Legend
Legend
Thursday

Unless you have Permanent Tunnels/DPD enabled it is possible for your VPN peer to go down or become unreachable, but the tunnel still looks "up" from your end, at least until the next Phase 2 re-key which could be up to 60 minutes later by default.  At that point you would get an error about the tunnel being down, but it could have actually died up to 60 minutes ago. 

If you have Permanent Tunnels (CP gateways) or DPD (interoperable gateways) enabled, there is a setting in the VPN Community that can fire an alert when the tunnel is detected down, which should happen within roughly 60 seconds of the failure.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
the_rock
Legend
Legend
Thursday

Something like what I attached, though someone from TAC gave me this while back, but they said it might not always be 100% reliable.

Andy

Screenshot_1.png
Preview file
140 KB
the_rock
Legend
Legend
Thursday

You can also probably use tool called checkmk or something along those lines. I tested it in the lab last year, looked pretty reliable.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top