Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN tunnel down issue

Hi All,

 

I am facing issue with VPN tunnel between Check Point firewall and AWS between Check Point firewall and AWS there is multiple tunnel and that is getting down when not in use multiple time i need to reset tunnel after that its working fine is there any idea we create script through API can send continuous icmp traffic towards AWS tunnel to keep tunnel UP and i no need to reset the tunnel again and again.

Currently our setup is running on distributed 2 GW in cluster manage by MGMT server and all are running on R80.10 with take 189 hotfix.

  

0 Kudos
7 Replies
Highlighted
Admin
Admin

The SKs that talk about configuring a VPN with AWS mention using Dead Peer Detection--are you using it?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Highlighted

You need to enable Permanent Tunnel in Tunnel management on the vpn community.
Regards, Maarten
0 Kudos
Highlighted

Dear Phoneboy/Admin 

 

Thanks for your response i am already using tunnel_keepalive_method  dpd and check all other parameter but didn't find solution till now.

get error log packet is dropped because an ipsec sa associated with the spi on the received ipsec could not be found

Action: drop Description: ESP traffic dropped.

I will follow the sk19423 but that is not helpfull for me.

Can i disable NAT T ?? and if i disable NAT T then what is the impact of that in production??

0 Kudos
Highlighted

Hi  @ramawatar and @PhoneBoy 

I am also facing similar issue.

My observation is, in continuous ongoing security parameter negotiations, whenever AWS end negotiates tunnel with NAT-T (4500), tunnel shows UP but no data traverse through tunnel.

(As per few secure knowledge checkpoint only responds for NAT-T negotiation but never initiate negotiation with NAT-T)

fw ctl zdebug + drop | grep <AWS_gateway> gives decryption failed. (A = My End. B= AWS End.)

image drop.JPG

I am using BGP protocol to control routing.

BGP TCP handshake not getting complete when IKE negotiation shown IKE NAT-T (4500).

But fw monitor shows my end try to send bgp messages through tunnel and even initial packet comes through aws end but TCP complete connection not happening. 

[vs_0][fw_22] eth3-01:i[60]: 169.254.A.A -> 169.254.B.B (TCP) len=60 id=10285
TCP: 45645 -> 179 .S.... seq=2ab5fb15 ack=00000000


[vs_0][fw_22] vpnt6:O[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] vpnt6:e[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] eth3-01:E[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16

When I am doing manual tunnel reset, checkpoint initiating tunnel, where it negotiating on 500 UDP and data starts traversing through tunnel.

Tunnels remain UP, till negotiation not happening through IKE 4500.

 Currently I am experimenting to tune below gateway specific parameters to ensure negotiation of IKE 4500 should not happen. (There is no NAT device between my end and AWS)

 

IKE_SUPPORT_NAT_T

offer_nat_t_initator

offer_nat_t_responder_for_known_gw

force_nat_t

 

Advanced NAT-T Configuration

 

These variables are defined for each gateway and control NAT-T for site-to-site VPN:

Item

 

 

Description

 

Default Value

offer_nat_t_initator

Initiator sends NAT-T traffic

true

offer_nat_t_responder_for_known_gw

Responder accepts NAT-T traffic from known gateways

true

force_nat_t

Force NAT-T even if there is no NAT-T device

false

 

Checkpoint team ( @PhoneBoy  ) through my above observations please highlight and resolve any interoperability through NAT-T between checkpoint and other vendor device.

0 Kudos
Highlighted
Admin
Admin

You're seeing "decryption failed" messages in zdebug, which would suggest a configuration mismatch of some sort.
You'll need to debug it to see where the mismatch is, using something like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Also recommend engaging with the TAC.

Highlighted

Hi @Uttam_Ghole 

 

I am experiencing the same issue. Did you manage to resolve it after modifying gateway specific parameters?

 

Regards,

0 Kudos
Highlighted

@Marek_Pietrulew We are facing Issue with AWS tunnel only, now working fine we disable NAT T from for all security gateway & set tunnel_keepalive_method DPD 

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

In GuiDBedit Tool, go to Network Objects > network_objects > <gateway> > VPN.
For the Value, select a permanent tunnel mode.
Save all the changes.
Install policy on the gateways.

For best practice Use Respective Gaia Version  VPN Administration Guide.

0 Kudos