Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GzsAlex
Explorer

Checkpoint endpoint vpn connections drop with "site not responding" after a policy install.

Dear all,

We have been facing these issues mentioned in the subject since the end of 2020.

If there are many endpoint vpn connections + there are many changes (approximately 30+) while doing a policy install, the chances are that the connections will drop are very high. We tried everything mentioned in community, contacted our reseller, and CP engineers constantly troubleshooting the issue since then (2021.02) but with no success.

We implemented a Skype for Business 2019 solution at that time. We think that skype may have interfering with the CP, as the end users are using skype through endpoint VPN.

Unfortunately we can't test this out, because the skype rules must be active through office hours. However, the chance to drop the vpn connections are extremely low at non-office hours.

Could you please share your suggestions related to this topic?

Many thanks.

Regards,

Alex

0 Kudos
6 Replies
mcatanzaro
Employee
Employee

Hi GzsAlex,

What version is the gateway running (major and any jumbos)?

 

0 Kudos
GzsAlex
Explorer

Hi mcatanzaro,

Thanks for your reply.

Our version:

R80.40 Take120

Regards:

Alex

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Unfortunately based on the nature of your enquiry I have more questions than answers to start...

Endpoint client version? Connection persistence setting? keep_ike_sa setting status? Gateway load?

 

CCSM R77/R80/ELITE
0 Kudos
GzsAlex
Explorer

Hello, Chris_Atkinson.

Thank you for your reply.

The answers:

Endpoint client version

E82.50 build 986101607

Connection persistence: keep all connections

Could you please help me regarding the last two settings? Where can I find them?

Many thanks,

Alex

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Menu > Global Properties > Advanced > Configure > VPN Advanced Properties > VPN IKE properties > keep_IKE_SAs.  (Refer: sk142355)

Gateway load is in reference to available capacity, is it operating with high resource/CPU consumption day-to-day?

CCSM R77/R80/ELITE
0 Kudos
GzsAlex
Explorer

Thanks!

Keep_ike_sas are enabled.

The active node has ~10-21% cpu load though the day, when an install occurs it goes up high, but based on our checkpoint engineer's guidelines, It is normal. The VPND process takes 3% to 10% at an install.

We are doing debug constantly cp and client side. Unfortunately the enginner did not find any reasons for the problem in the logs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events