This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gacki
Participant
‎2023-03-14 02:22 AM
Jump to solution

Site-to-site VPN tunnel logs

Hello,
I would like to know how to check the log history in the console for a given VPN site to site.

We have a VPN site to site set up with another company, and there was a case that the VPN tunnel was broken for an hour, you can't see anything in the SMS logs, there is only an hour hole, the question is whether it is possible in the console to download logs from a given tunnel at a given time deeper hour.
Thank you very much for help

The sms version is R81.10
Firewall - r81.10

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-14 02:50 AM
Jump to solution

Logs at least should show why the tunnel went down and later up again ! If VPN is down it will not log.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

10 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-14 02:50 AM
Jump to solution

Logs at least should show why the tunnel went down and later up again ! If VPN is down it will not log.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Gacki
Participant
‎2023-03-14 03:03 AM
In response to G_W_Albrecht
Jump to solution

Thank you for your help

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-12-12 09:25 AM
In response to G_W_Albrecht
Jump to solution

Hello,
Is there a way to see the “possible root cause” of why a VPN tunnel went down and then came back up, from one moment to the next?

We are having a problem with a VPN, which suddenly “crashes” and then starts working again after a while without any intervention.
Is there a file we can check that might help us with this?

Cheers 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2025-12-12 09:59 AM
In response to Matlu
Jump to solution

These kinds of "fails and comes back" issues with VPNs are usually caused by mismatches in the configuration on both ends (namely timers related to key renegotiation).
You might have a look at scenario 4 here: https://support.checkpoint.com/results/sk/sk108600 

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-12-12 10:03 AM
In response to PhoneBoy
Jump to solution

Hello,
Is there a relevant log in SmartConsole that could give us an “idea” of the possible root cause?
Is there any way to help find logs relevant to intermittent issues in the SmartConsole search engine?

0 Kudos
CaseyB
Advisor
‎2025-12-12 11:23 AM
In response to Matlu
Jump to solution

I normally do "blade:VPN AND <public IP of peer>", then filter out accepted / encrypted traffic or filter on reject / key install or something like that, and I generally can fix any VPN issues doing that based on what the logs tell me.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-12-12 12:13 PM
In response to CaseyB
Jump to solution

Hello.
Regarding the “Key Install” log type, does it always represent a “problem” with an S2S VPN?
Is it something that needs to be “checked” in detail?

0 Kudos
CaseyB
Advisor
‎2025-12-12 12:25 PM
In response to Matlu
Jump to solution

No, generally the "Key Install" is always a good thing and is an expected log, but I use it to confirm the tunnel is building how I expect it to, as the tunnel could be breaking because of the networks / hosts sent in Phase 2.

For this example, this is the exact IKE ID I expect to see, so I know the encryption domain is not the problem in this direction. This can work properly when 1 firewall initiates traffic and could break if the other side is to initiate as their configuration could be off slightly sending a /29 instead of a /28 or something.

IKE_ids.png

 

You will see key installs line-up with the timers you have set here:

ike_timers.png

An example of an issue could be you are seeing "Key Installs" every 15 minutes when they should be around an hour, something is probably off.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-12-12 12:43 PM
In response to CaseyB
Jump to solution

Hello @CaseyB 


Your last comment is precisely part of my problem.
I am seeing too many recurring Key Install logs for a specific VPN.

And the other problem is that every Friday morning, the VPN goes down and then comes back up without any intervention.

That is why I am trying to find a way to know if the logs show us a reason why this is happening.

0 Kudos
CaseyB
Advisor
‎2025-12-12 01:11 PM
In response to Matlu
Jump to solution

You are going to see a "Key Install" for every IKE SA you are building on the tunnel. So, you do need to examine them to see if they are expected.

  • Example 1 - I am building at least 5 IKE SAs with this vendor on a tunnel, so I will see multiple "Key Installs" per hour, but that is expected because each IKE SA will probably re-key at a different time. See:

ike_sas1.png

  • Example 2 - I am building 1 IKE SA on this tunnel, and I should only see one key install per hour.

ike_sas2.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events