Hi
Since upgrading from 77.30 to R80.10, one of our VPN communities isn't working unless we reset the tunnel via vpn tu and getting the customer to initiate a ping immediately. If we leave it any longer than a couple of minutes the customer is unable to ping or access services based on rules and the key install IPSEC-SA gets deleted.
Informational Exchange Received Delete IPSEC-SA from Peer: x.x.x.x; SPIs: b903d37e
We've provided debug logs to CheckPoint but support were unable to spot anything.
We enabled DPD responder mode which stopped users connecting to the VPN client so had to revert.
- Run on each gateway:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1
- Change keep_IKE_SAs to true. (was already set to true but we've also tried it disabled.)
We've tried to change the DPD for the tunnel but get an error message when trying to set it.
In GuiDBedit Tool, go to Network Objects > network_objects > <gateway> > VPN.
For the Value, select a permanent tunnel mode.
Tunnel has been recreated (new name) and changed to higher security. Although the network object isn't showing in the database editor tool.
We've tried changing the tunnel sharing but that drops the connection in less time than 24 hours.
We've also changed ike_keep_child_sa_interop_devices to true.
Both tunnels have the same renegotiate times, 1440 mins and 3600 seconds and NAT is disabled.
Device at the other end is a Cisco ASA 5555 but sadly I don't have access to it.
Thanks in advance!
Simon
