This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jesus_Cano
Collaborator
‎2019-07-23 12:59 AM

VPN is going down

Hi,

 

We Just configured a VPN between Checkpoint R80.10 and Fortigate. The VPN is up and traffic is flowing. The issue is that sometime the tunnel stop processing traffic and we need to renew in order to work again. So why the tunnel goes down? its because inactivity? 

0 Kudos
15 Replies
Matt_Killeen
Contributor
‎2019-07-23 03:22 AM

This is diffcult to diagnose without seeing the full VPN configuration of both the CheckPoint and Fortigate.

Checkpoint uses DPD and I believe Fortigate uses Auto Keep Alive so, even if these are configured and working, dropping the tunnel due to inactivity may not be the problem.

Before you go to deep into troubleshooting, however, one thing I would ask you to check is the LifeTimes on the CheckPoint side for Phase I and Phase II match the Fortigate side and that on the Fortigate side, the Phase II KeyLife is set to Seconds and not "KiloBytes" or "Both" . If the Fortigate is using KiloBytes as the key life time, it could try to create new keys before the CheckPoint is ready. This makes the re-key unpredictable as it's dependent on how much data has been processed in any given time period.

If one side tries to regenerate keys before the other side is ready you will have problems with the tunnel.

Jesus_Cano
Collaborator
‎2019-07-23 03:44 AM
In response to Matt_Killeen

Where its configured DPD in R80.10, i can not find this config.

 

0 Kudos
Matt_Killeen
Contributor
‎2019-07-23 03:52 AM
In response to Jesus_Cano

Sorry - I'm calling it DPD out of old habits. It's Permanent Tunnels in Tunnel Management.
0 Kudos
Jesus_Cano
Collaborator
‎2019-07-23 03:55 AM
In response to Matt_Killeen

OK, but i read that permanent tunnels is only working between Checkpoint appliances. In this case one is CPK and the peer is fortigate.

0 Kudos
Matt_Killeen
Contributor
‎2019-07-23 04:16 AM
In response to Jesus_Cano

So if Permanent Tunnels are not configured on the CheckPoint (and you've not configured DPD Responder Mode for permanent tunnels to 3rd party) and if Auto Keep Alive is not configured on the Fortigate, the tunnel should drop due to inactivity and re-establish when interesting traffic is processed.
0 Kudos
Jesus_Cano
Collaborator
‎2019-07-23 04:28 AM
In response to Matt_Killeen

The issue is that the tunnel goes down but even with interesting traffic is not coming up. WE need to renegotiate the tunnel in order to go up again.

0 Kudos
Matt_Killeen
Contributor
‎2019-07-23 04:31 AM
In response to Jesus_Cano

So, have you checked the LifeTimes on the CheckPoint side for Phase I and Phase II match the Fortigate side and that on the Fortigate side, the Phase II KeyLife is set to Seconds and not "KiloBytes" or "Both" ?
0 Kudos
Jesus_Cano
Collaborator
‎2019-07-23 04:36 AM
In response to Matt_Killeen

This is CPK config. I will ask the config in the peer (fortigate).

 

config.JPG

0 Kudos
Timothy_Hall
Champion
Champion
‎2019-07-23 06:46 AM
In response to Jesus_Cano

Let me guess, when interesting traffic arrives at the Fortigate it is able to successfully start a new VPN tunnel and start passing traffic.  However when interesting traffic arrives at the Check Point, IKE negotiations fail in Phase 2 and the traffic cannot pass.  Fortigates are similar to Juniper/Sonicwall in that Phase 2 subnet/Proxy-ID proposals presented to it must match its configuration precisely, unlike Cisco and Check Point who will accept a subset of their subnet/Proxy-ID configuration in a Phase 2 proposal.  You must adjust the Check Point configuration to present the exact subnet/Proxy-IDs that the Fortigate wants in Phase 2.

Read scenario 1 of this SK: sk108600: VPN Site-to-Site with 3rd party

And this SK for the proper filename of user*def file to edit: sk98239: Location of 'user.def' files on Security Management Server

You pretty much are stuck going down this road with Fortigate/Juniper/Sonicwall and to some degree Palo Alto interoperable VPNs.

Also as noted earlier make sure the Phase 1 and Phase 2 lifetimes match exactly, as Delete SA processing upon tunnel expiration does not always work correctly in an interoperable scenario and can cause tunnel hangs.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-23 02:08 PM
In response to Jesus_Cano

Please check with the Fortigate people if they have set the rekey based on Kbytes. If they do they need to disable that, Check Point does not support this.
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-24 04:38 AM
In response to Maarten_Sjouw

When the Other party has set the rekey on KBytes, this exactly the behavior you would see. They Reset the tunnel when they recieved/sent the number they set and then drop the tunnel from their end, you do not notice this as they expect you to do the same.
Regards, Maarten
0 Kudos
Jesus_Cano
Collaborator
‎2019-07-24 04:45 AM
In response to Maarten_Sjouw

rekey is 28800 secons. (not KB).

 

Fortinet side has enabled el Autokey keep alive, we will monitor how it works now

0 Kudos
Jesus_Cano
Collaborator
‎2019-08-09 04:55 AM
In response to Jesus_Cano

Issue is still happening, when not traffic is in the tunnel goes down. And we need to renegotiate in order to up again. Why is this happening, how can we know the reason?

0 Kudos
Timothy_Hall
Champion
Champion
‎2019-08-09 05:25 AM
In response to Jesus_Cano

As a last resort, try checking the boxes keep_IKE_SAs and ike_send_initial_contact on the Global Properties...Advanced...Configure...VPN Advanced Properties...VPN IKE Properties screen and reinstall policy to the gateway.  Note that these are global settings (not per VPN Community) and may impact the operation of other unrelated VPN tunnels.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Oskar_Svedman
Participant
‎2019-08-09 07:37 AM
In response to Timothy_Hall

I had a similar issue between R80.10 and SMB 730 gateways before. (Used Dynamic IP of the remote SMB gateways)
Needed to force a reset of the tunnel before it went back.

I got a hotfix from CheckPoint that solved my problem.

0 Kudos