Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

S2S VPN downtime

Hello,

A query,
I am aware that, in a Checkpoint S2S VPN against third parties, when there is no interesting traffic "crossing" the VPN for a certain period of time, these VPNs "go down".

My question is, how much time does Checkpoint "count" to "down the VPN"?

Assuming that the VPN will be up again, when interesting traffic is generated again.

Hopefully, someone can clarify this doubt for me, please.

Thanks

0 Kudos
14 Replies
CaseyB
Collaborator

I would think the VPN would go down once the IPSec SA expires.

From the CLI you can type "vpn tu tlist -p x.x.x.x" and see a tunnel expiration time.

0 Kudos
Matlu
Advisor

Hello,

Thank you for your comment.

The output of the command shows me the following.

VPNS2S.png

Trying to interpret the information correctly, I can assume that if there is no more interesting traffic through the tunnel, the VPN will be down today?

In other words, the tunnel will only "hold" for 1 hour, if it does not see any traffic passing through it?

Is there any way to "extend" this time?

0 Kudos
CaseyB
Collaborator

Looking at this closer with some of my VPNs, the tunnel status is based off two items:

  • State = "UP" - Means Phase 1 and Phase 2 are proper. Everything should be working.
  • State = "UP - Phase1" - Means you only have Phase 1 and Phase 2 is not working because of configuration or the IPSec SA has expired, if it has expired, you can bring it to "UP" by generating the interesting traffic to make a new IPSec SA.

The CLI I provided is only giving insight for Phase 2, so once that tunnel has "expired" the tunnel will show "UP - Phase1" until that ages out. I cannot find how to view the expiration for Phase 1 (by default Phase1 is 24hours).

 

How to extend the time. If you want to keep the tunnel online you can configure permanent tunnels between 2 Check Point firewalls, or with a third-party you can use DPD. You can always add a monitor system to the VPN and just send constant pings across too.

If you mean how to adjust the hour window, you can change those settings within the advanced options of the VPN community you are working with. By default Phase 1 is setup for 1440 minutes (24hours) and Phase 2 is setup for 3600 seconds (1hour), if you change these timers, they need to match on both sides of the VPN tunnel.

0 Kudos
Matlu
Advisor

Thank you for your response.

So, to keep the VPN "up" (My environment is a VPN against a third party, not Checkpoint), it is advisable for us to enable DPD (As I remember, DPD is disabled by default, right?).

Does DPD affect a particular community, or is it something that affects all the VPNs I have in my GW?

0 Kudos
the_rock
Legend
Legend

Bro, there is old school way to keep any VPN tunnel up. Just keep constant ping going to something on the other end and that will have tunnel UP all the time...same goes for say vpn client inactivity set. I know its not the best way, but it works. Otherwise, just set DPD method, or permanent tunnel.

Andy

0 Kudos
Matlu
Advisor

Hello, my friend.

Just so that the concept can be clear to me, Phase 2 of the default VPNs, it is clear that it comes set to 3600 seconds.

This means that if in 1 hour there is no traffic between a Site1 HOST and a Site2 HOST, "visually" the VPN in phase 2 will appear as "down", right?

And I would understand that the VPN in general, if in 1 day, there is no traffic at all, visually, it will also be "down", until traffic is generated again, is my interpretation correct?

Greetings.

0 Kudos
_Val_
Admin
Admin

Shortly, no. Phase 2 timer only defines how long the symmetric key is valid. Once it is timed out, it will be renegotiated. 

0 Kudos
Matlu
Advisor

I understand.

What we are looking for, is to have an "idea" of how long is the maximum time that the tunnel can be without traffic crossing through it, so that the VPN visually looks "down".

Is this something that is defined in the configuration of a VPN community?

0 Kudos
the_rock
Legend
Legend

One of our customers had the same question few years back and we thought it was possible to define it in Guidbedit, but TAC was not successful either, so we never really got an official answer if there was any sort of time that needs to pass by before tunnel is officially considered as down.

You can open a case and ask about it I guess, but I hardly doubt its different.

Andy

0 Kudos
the_rock
Legend
Legend

0 Kudos
Matlu
Advisor

Bro,

So, activating DPD for a single community will guarantee me that the tunnel will stay up all the time?

Cheers 🙂

the_rock
Legend
Legend

Bro, no offense, I dont even guarantee I will be alive tomorrow LOL

Anyway, yes, DPD means peer is configured for permanent tunnel. Make sure community is set that way too and config is indeed set for such a tunnel.

Andy

0 Kudos
Matlu
Advisor

Does activating DPD "alter" all the VPNs I have in my GW?

Or can DPD be activated for each community independently?

0 Kudos
the_rock
Legend
Legend

It can be done independently, but it goes by interoperable object. In R81+, if you set community as permanent tunnel type, it sets object as DPD automatically.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events