After a while VPN is going down

starmen2000 · ‎2023-02-20

Hi Mates,

We have recently established an S2S VPN connection between Checkpoint and Barracuda FW. They are able to communicate effectively over this VPN. However, when a remote desktop connection is initiated between the two sites, after 10-15 minutes, the S2S VPN is automatically reset, and the tunnel is established again. As a result, the RDP connection is lost. Upon examining the logs, I discovered that when the connection is lost, the other site sends a "delete SA" message, which causes the tunnel to reset. What might be causing the tunnel to reset and how we can fixthis issue?

Thanks

Chris_Atkinson · ‎2023-02-20

How's is the encryption domain currently configured?

Refer also:

sk142355 - keep_IKE_SAs

sk108600 - Scenario 4

CCSM R77/R80/ELITE

starmen2000 · ‎2023-02-20

IKEv1

Phase 1

AES-256

SHA-256

Group 14

Renegotiate : 86400 sec

Phase 2

AES-256

SHA-256

Renegotiate : 3600 sec

Group 14

Perfect Forward Secrecy is enabled

starmen2000 · ‎2023-02-20

log says after a while, when the tunnel went down --> Informational Exchange Received Delete IPSEC-SA from Peer: 3.party external IP.

Timothy_Hall · ‎2023-02-20

Your IKE Phase 1 and Phase 2 timers do not match on both sides. The tunnel will start even though they don't match and you will see behavior like this. Unfortunately Check Point chose to express the Phase 1 timer in minutes and the Phase 2 timers in seconds, while most other vendors express both values in seconds so double-check that they really match on both sides.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

_Val_ · ‎2023-02-23

Second that.

starmen2000 · ‎2023-02-24

Actually Phase 1 and Phase 2 timers match. But it is interesting, on barracude site there is max and min life time options. Normal lifetime options already match. But min/max lifetime is different. You can see in the attachment.

And also one point, After I reset the vpn, before tunnel goes up, fw received a message from other site, that "Quick Mode received Notification Peer: Invalid payload type" and " Payload malformed". But then vpn goes up, while vpn up in 30 min tunnel is resetted automatically.

the_rock · ‎2023-02-24

Make sure option for "keep ike SAs" in global properties is checked as @Chris_Atkinson mentioned. I cant open the attachment from your last response, but not 100% certain what those timers options would equate to on CP side.

starmen2000 · ‎2023-02-24

Keep ike SA is already checked in global properties. Following picture is from other site. Barracuda.

the_rock · ‎2023-02-24

I cant find any timer settings on VPN community except under advanced tab in community itself (Im sure thats been like that for the last 25 years with CP vpn), but I did find below. Not sure this would help you, but I agree with @Timothy_Hall

Andy

Timothy_Hall · ‎2023-02-24

Set Min, Max, and Lifetime to the same value on the Barracuda matching the Check Point timers. Anything that brings down the tunnel early (idle time, data lifesize) in an interoperable scenario will hang the tunnel and produce the behavior you are experiencing.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

After a while VPN is going down