Solved: Re: VPN Client disconnects after one hour

Daniel_Peschke1 · ‎2019-04-28

Hello,

I ran into a problem with remote access VPN.

The connection can be established successfully and the ressources are available, but exactly after one hour the client disconnects with the error message "Failed to renew encryption keys".

In ike.elg it looks like phase 2 is failing, but everything is fine at the initial connection.

I checked and changed several lease times and renegotiation times, the client still disconnects after one hour.

I already have a service request open since three weeks now with no solution.

Did anyone experience this before?

Volodymyr · ‎2020-04-17

I had the same problem on R80.10 and then R80.30 gateway. It was solved today with TAC (SR 6-0001915434).

Needs to change the parameter on file $FWDIR/boot/modules/fwkern.conf:

natt_probe_do_in_kernel=0

View solution in original post

_Val_ · ‎2019-04-29

This is a classic case. Please make sure CRL on the Management is available through VPN or is not encrypted.

Daniel_Peschke1 · ‎2019-04-29

How can I check these parameters? (I am kinda new to Check Point)

Daniel_Peschke1 · ‎2019-04-29

How do I check those parameters? (I'm kinda new to Check Point)

Martin_Raska · ‎2019-04-29

Are you using certificates for authentication?

Daniel_Peschke1 · ‎2019-04-30

There are no certificates for the clients, but a SSL certificate for the gateway. So the clients connect to the domain-name and not to the IP of the gateway. But I also tried to connect to the IP and got the same error.

For authentication I am using Identity Awareness with AD-Query and local configured users. The error occurs on both of them.

More information to the gateway - it's a stand-alone solution on R80.20 and Endpoint Security E80.92.

Jeff_Gao · ‎2020-03-21

@Daniel_Peschke1. Did you find a solution fot this issue? i also have the same issue.

Daniel_Peschke1 · ‎2020-03-21

Hello,

It took me some days to notice, but we had a misconfigured NAT rule. A static NAT from gateway IP to a server in the DMZ.

Srihari_E · ‎2024-04-04

we using p12 certificate authentication

yigiterol · ‎2020-01-18

Hello,

Did you find a solution for this?

Volodymyr · ‎2020-04-17

I had the same problem on R80.10 and then R80.30 gateway. It was solved today with TAC (SR 6-0001915434).

Needs to change the parameter on file $FWDIR/boot/modules/fwkern.conf:

natt_probe_do_in_kernel=0

Per_Opel · ‎2020-10-28

Did you get any explanation on what this kernel attribut does? We're having the same issue with rekey started a few days ago (despite that nothing has changed regarding policy or fw-version).

We're using 80.30 take 217.

Yesterday I rebooted the gateways and after that I executed fw ctl set int natt_probe_do_in_kernel 0 on one of the gateways (the active one).
Since then I don't have the issue with rekey but if it was the reboot or the kernel param update which solved remains to find out.

PradeepSonawne · ‎2023-08-05

I am also facing the same kind of issue and also raised the ticket with TAC but as of now no Cath on the issue, But they suggested the same command and we did that, but the issue remains the same.

We are in the Maestro environment R81.10 and my GW is in Active Active, If I execute the below commands do I need a reboot of GW?

Thanks in advance

Volodymyr · ‎2023-08-07

Hi,

if you`re talking about natt_probe_do_in_kernel=0, note it is not command, it is string in $FWDIR/boot/modules/fwkern.conf file.

And sure, any changes of $FWDIR/boot/modules/fwkern.conf file will be applied after reboot of GW.

Are you a member of CheckMates?

VPN Client disconnects after one hour