This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rajesh_s
Contributor
‎2018-04-12 03:48 AM

VPN Client disconnecting every 10 to 15 minutes

Hi All,

We are Running R77.30 and configured Remote access vpn, Client we are using E80.65.

I am able to connect to successful first time but after every 10 to 15 minutes disconnecting client and saying error "VPN tunnel has disconnected and failed   to renew the encryption keys.Any idea?.

“[11 Apr 18:07:54] IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys.”

”11 Apr 18:24:52] IKE connection failed, error code=-1000. Reason: Internal error: Cannot connect to gateway: Transport failed..”

0 Kudos
7 Replies
Dave_Cullen
Explorer
‎2018-11-18 02:02 AM

Sorry to revive an old thread, but did you find a solution?  I am also seeing this;

[17 Nov 21:06:33] IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys.

[17 Nov 21:06:33] Client state is connected

[17 Nov 21:06:33] Tunnel (3) disconnected. State is connected.  cancelling connection.

I have already followed: sk116432 to change:

  • fw ctl set int ipsec_use_p1_src_ip 1

 However the users ar still reporting disconnections to this specific gateway.  Others are fine....

Did you manage to fix this?

Thanks!

0 Kudos
Oren
Participant
‎2021-05-25 12:36 PM
In response to Dave_Cullen

Hi Dave,
Are you still there? 😊

Did you find a solution?
Thanks.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-26 06:00 AM

Have you looked at sk65331: Endpoint Connect disconnects after a short period of time with an error 'Failed to renew En...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Oren
Participant
‎2021-05-26 06:26 AM
In response to Timothy_Hall

Hi Timothy,
Thanks for replying.

The sk65331 does not seem to meet my gateway.
My gateway is E80.30 and it is happening while using Windows (after 1hour) and Mac (after an hour and a half).
It is happening only on one of my clusters only and not on the other cluster.
R80.30 take 200 is the same on both of them.
The message after collecting logs from the client (helpdesk.log) says:
"IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys."

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-26 12:06 PM
In response to Oren

It sounds like you are losing the IKE Phase 1 tunnel at some point, and when the IPSec/Phase 2 tunnel expires for the client (default timer for SA Lifetime is 60 minutes) they are getting kicked off because the new Phase 2 SA cannot be negotiated through the dead IKE/P1 tunnel.  Any chance that a policy reinstall happened less than 60 minutes prior to them getting disconnected?  If so try setting keep_IKE_SAs in the Global Properties. 

Beyond that you will need to run a debug on vpnd and catch this failure in the act to figure out what is going on in $FWDIR/log/vpnd.elg (or just engage TAC). See sk89940 - How to debug VPND daemon

Also your R77.30 version is very old and unsupported so TAC may not engage.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Oren
Participant
‎2021-05-27 05:56 AM
In response to Timothy_Hall

Hi Timothy,

Thank you so much for looking into this issue.
finally, the solution was to edit the file $FWDIR/boot/modules/fwkern.conf and add the line:
"natt_probe_do_in_kernel=0"
the solution was provided in another thread: "VPN Client disconnects after one hour"

Again, Thank you very much for taking your time and for the ideas you suggested to me.

Oren.

Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-27 06:07 AM
In response to Oren

Interesting, thanks for the follow-up and sharing the solution.  Looks like that natt_probe_do_in_kernel variable takes the NAT-T probing function away from the vpnd daemon and implements in the kernel/fwk instead.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events