Hello.

Thanks for your feedback.

Parameter "transport_connect_timeout"  and ccc_timeout does not help. Reconnection more than 2 minutes. Target switching time is 5 seconds.

Configuration description:

1. Checkpoint FW 6400, two Internet providers. Remote Access ISP Redundancy - Primary (ISP-1) / Backup (IPS-2)

2. VPN client uses the mep mode "first to respond" for two FW providers (ISP above)

:mep_mode (

             :gateway (

                 :map (

                     :dns_based (dns_based)

                     :first_to_respond (first_to_respo

nd)

                     :primary_backup (primary_backup)

                     :load_sharing (load_sharing)

                     :client_decide (client_decide)

                 )

                 :default (first_to_respond)

:ips_of_gws_in_mep (

             :gateway (

                 :default (ISP-1&#ISP-2&#)

             )

         )

3. transport_connect_timeout - 2000

4.  ccc_timeout -6000   

 Situation description:

1. Disconnect the main ISP provider

2. Client detects loss of connection

3. Starts reconnection

4. Hangs on reconnection for about a minute and a half

5. Reconnects to the second available IP

6. CPn Client logs 

[21 Jan 1:42:56] Client state is connecting
[21 Jan 1:42:56] Connection was successfully established (1)
[21 Jan 1:53:21] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18002.
[21 Jan 1:53:23] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18003.
[21 Jan 1:53:26] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18004.
[21 Jan 1:53:28] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18005.
[21 Jan 1:53:31] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18006.
[21 Jan 1:53:33] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18007.
[21 Jan 1:53:36] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18008.
[21 Jan 1:53:38] No reply from the gw ip=172.20.0.1 for tunnel test packet. Office Mode IP=172.16.12.2, source port=18009.
[21 Jan 1:53:39] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[21 Jan 1:53:39] Client state is connected
[21 Jan 1:53:39] Tunnel (1) disconnected. State is connected. Trying to reconnect.
[21 Jan 1:53:42] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:53:42] Client state is reconnecting
[21 Jan 1:53:42] Reconnect failed. trying again (1)
[21 Jan 1:53:46] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:53:46] Client state is reconnecting
[21 Jan 1:53:46] Reconnect failed. trying again (1)
[21 Jan 1:53:50] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:53:50] Client state is reconnecting
[21 Jan 1:53:50] Reconnect failed. trying again (1)
[21 Jan 1:53:54] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:53:54] Client state is reconnecting
[21 Jan 1:53:54] Reconnect failed. trying again (1)
[21 Jan 1:53:58] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:53:58] Client state is reconnecting
[21 Jan 1:53:58] Reconnect failed. trying again (1)
[21 Jan 1:54:02] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:02] Client state is reconnecting
[21 Jan 1:54:02] Reconnect failed. trying again (1)
[21 Jan 1:54:06] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:06] Client state is reconnecting
[21 Jan 1:54:06] Reconnect failed. trying again (1)
[21 Jan 1:54:09] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:09] Client state is reconnecting
[21 Jan 1:54:09] Reconnect failed. trying again (1)
[21 Jan 1:54:13] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:13] Client state is reconnecting
[21 Jan 1:54:13] Reconnect failed. trying again (1)
[21 Jan 1:54:17] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:17] Client state is reconnecting
[21 Jan 1:54:17] Reconnect failed. trying again (1)
[21 Jan 1:54:22] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:22] Client state is reconnecting
[21 Jan 1:54:22] Reconnect failed. trying again (1)
[21 Jan 1:54:25] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:25] Client state is reconnecting
[21 Jan 1:54:25] Reconnect failed. trying again (1)
[21 Jan 1:54:29] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:29] Client state is reconnecting
[21 Jan 1:54:29] Reconnect failed. trying again (1)
[21 Jan 1:54:33] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:33] Client state is reconnecting
[21 Jan 1:54:33] Reconnect failed. trying again (1)
[21 Jan 1:54:37] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:37] Client state is reconnecting
[21 Jan 1:54:37] Reconnect failed. trying again (1)
[21 Jan 1:54:41] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:41] Client state is reconnecting
[21 Jan 1:54:41] Reconnect failed. trying again (1)
[21 Jan 1:54:45] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:45] Client state is reconnecting
[21 Jan 1:54:45] Reconnect failed. trying again (1)
[21 Jan 1:54:49] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:49] Client state is reconnecting
[21 Jan 1:54:49] Reconnect failed. trying again (1)
[21 Jan 1:54:53] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:53] Client state is reconnecting
[21 Jan 1:54:53] Reconnect failed. trying again (1)
[21 Jan 1:54:57] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:54:57] Client state is reconnecting
[21 Jan 1:54:57] Reconnect failed. trying again (1)
[21 Jan 1:55:01] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:01] Client state is reconnecting
[21 Jan 1:55:01] Reconnect failed. trying again (1)
[21 Jan 1:55:05] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:05] Client state is reconnecting
[21 Jan 1:55:05] Reconnect failed. trying again (1)
[21 Jan 1:55:09] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:09] Client state is reconnecting
[21 Jan 1:55:09] Reconnect failed. trying again (1)
[21 Jan 1:55:14] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:14] Client state is reconnecting
[21 Jan 1:55:14] Reconnect failed. trying again (1)
[21 Jan 1:55:18] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:18] Client state is reconnecting
[21 Jan 1:55:18] Reconnect failed. trying again (1)
[21 Jan 1:55:21] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:21] Client state is reconnecting
[21 Jan 1:55:21] Reconnect failed. trying again (1)
[21 Jan 1:55:26] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:26] Client state is reconnecting
[21 Jan 1:55:26] Reconnect failed. trying again (1)
[21 Jan 1:55:30] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:30] Client state is reconnecting
[21 Jan 1:55:30] Reconnect failed. trying again (1)
[21 Jan 1:55:34] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:34] Client state is reconnecting
[21 Jan 1:55:34] Reconnect failed. trying again (1)
[21 Jan 1:55:38] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Jan 1:55:38] Client state is reconnecting
[21 Jan 1:55:38] Reconnect failed. trying again (1)
[21 Jan 1:55:39] Client state is reconnecting
[21 Jan 1:55:39] State reconnecting. Roaming timeout is reached, cancelling connection (1)
[21 Jan 1:55:40] Client state is idle
[21 Jan 1:55:40] Starting connect...
[21 Jan 1:55:40] Creating primary conn flow to CO-CPGW-VPN (1)
[21 Jan 1:55:50] MEP resolving: Setting gw_ipaddr and vpnd_addr to ISP-2
[21 Jan 1:55:50] Sent ClientHello
[21 Jan 1:55:50] upgarde is not configured on the site
[21 Jan 1:55:50] Starting new connection (1)
[21 Jan 1:55:52] Topology download in progress
[21 Jan 1:55:52] upgarde is not configured on the site
[21 Jan 1:55:52] no need executing firewall step
[21 Jan 1:55:52] Office mode IP was set successfully
[21 Jan 1:55:55] OM started successfully with IP = 172.16.12.4.
[21 Jan 1:55:55] Client state is connecting
[21 Jan 1:55:55] Connection was successfully established (1)

The logs indicate the client is trying the first ISP IP, is timing out, then trying the second, which is what I expected based on your description.
You have a couple of potentially conflicting settings here: "first to respond" and "primary backup."
Having said that, "first to respond" may only apply when there are multiple gateways, whereas this is on the same one.

Not sure if there's an adjustable timer for this specific situation.
I suggest consulting TAC but suspect what you're looking more might involve an RFE.

Okay, thanks.
With what topology (configuration) can I achieve the minimum time for switching a VPN client between providers? 2 minutes is a long time, it is unlikely that such a large vendor as Check Point considers this the norm.

If you have an understanding, please point me in the right direction

Most likely, you'd need Harmony SASE to achieve this, at least based on what I know of our current products/solutions.
Best to discuss your specific requirements with your local Check Point office.

Hi @PhoneBoy do you have some links to comparisions between harmony and remote access vpn ?

Beside a feature comparision maybe also use cases, when to use harmony and when to use remote access vpn ?
Just to know which advantages the newer product harmony has also over remote access vpn.

Harmony SASE runs in the cloud, but also allows access to on-premise resources either using a web browser (kinda like Mobile Access Blade) or Remote Access.
Specifically the client terminates their connection in the cloud and the cloud connects to the on-premise resources (either via a dedicated connector VM or via IPsec VPN to the gateway).
Basically, the client won't have to care what Internet connection you're running at the local site.

Note that both traditional Remote Access and Harmony SASE allow similar use cases with the difference being how it is managed (SmartConsole versus Infinity Portal) and where the traffic is initially terminated (your gateways directly versus through our private cloud first).
Harmony SASE also has additional features.

PhoneBoy, thanks for your help and feedback.

The following parameters solve my problem:

:neo_implicit_disconnect (
:gateway (endpoint_vpn_implicit_disconnect
:default (true)
)
)
:neo_implicit_disconnect_timeout (
:gateway (endpoint_vpn_implicit_disconnect_timeout
:valid (true)
:default (0)
)
)

After configuring these parameters, the client switches within 3-5 pings. And everything would be fine if it was stable, some reconnections, say every third one (I didn't understand the exact pattern.), take more than a minute, although the break is recorded almost instantly.

What it looks like.

Fast reconnect:
1. The client records unavailability (1 sec)
2. The client initiates switching (1 sec)
3. Connect to the second provider (3 sec)

Slow reconnect:
1. The client records unavailability (1 sec)
2. The client initiates switching (1 sec)
3. Connect to the second provider (50+ sec).

Any thoughts on why random reconnection can last for so long? How to understand what is happening and what is the reason?

p.s.
TAC says the unsupported configuration and refuses to help.

As I noted earlier, this might require an RFE for formal support.
This would need to be pursued through your local Check Point office.

What troubleshooting has been done on the gateway side when this is occurring?

Thanks for the idea, I'll try to make a troubleshooting joke from the gateway side.

Regarding RFE. Something tells me that this is a very long story with an unknown outcome. And the problem needs to be solved now.

I believe those changes were done in trac.config file on the client?

Andy

trac_client_1.ttm

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

Got it! Yes, just checked in my lab and those settings are there.

Just to be 100% sure its good, maybe run below from the fw end, just replace R82 with right version (I did this in my R82 lab)

Andy

[Expert@R82:0]# vpn check_ttm /opt/CPsuite-R82/fw1/conf/trac_client_1.ttm

Summary for the file: trac_client_1.ttm
result: the file passed the check without any problems

[Expert@R82:0]#

the check is successful, without errors.

Just to be 100% sure its good, maybe run below from the fw end, just replace R82 with right version (I did this in my R82 lab) - 

Did I understand correctly that you repeated my configuration in your test lab and switching works without problems? How many packets are lost during switching or how long does switching take? Did you check switching in both directions (ISP-1->ISP-2->ISP-1)?

Thats right and result was more less the same.

Andy