This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Anton_Kazantsev
Contributor
‎2018-11-14 10:32 AM

VPN Session timeout

Hello CM!

I have strange behavior which happens unexpectedly. Some users connect to R80.10 Gateway with LoadSharing Multicast with VPN client with re-authnticate options setting on 24h but disconnected  after 2 minutes with reason "session timeout". 

Can anyone give a tip, where find 120 sec timeout setting or mb something else? 

7 Replies
Anton_Kazantsev
Contributor
‎2018-11-14 10:19 PM
In response to PhoneBoy

I saw this SK, but I think it a little different

Antispoof is set to detect only

I increased Maximum concurrent IKE neg, but it does not work

There is no such problem when ClusterXL was in  HA mode

0 Kudos
Anton_Kazantsev
Contributor
‎2018-11-15 12:17 AM

I found these lines in trac.log on client:

...

[ 97 771][15 Nov 12:47:26][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:26][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18005.
[ 97 771][15 Nov 12:47:26][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x

...

[ 97 771][15 Nov 12:47:26][tunnel] [INFO] [IkeTunnel::ReceivedEsp] (0x0x6579d20): Received Esp Packet from gw 10.x.x.x .Must be tunnel test packet
[ 97 771][15 Nov 12:47:26][tunnel] IPsecTunnel::ReceiveTunnelTestPkt: started
[ 97 771][15 Nov 12:47:26][tunnel] IPsecTunnel::ReceiveTunnelTestPkt: Received tunnel test reply
[ 97 771][15 Nov 12:47:26][tunnel] [INFO] [IkeTunnel::ReceivedEsp] (0x0x6579d20): Tunnel state is connected

...

[ 97 771][15 Nov 12:47:28][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] receive reply from the gw. Descheduling TunnelTestTimeout and scheduling CheckDGDTimeStamp again

...

[ 97 771][15 Nov 12:47:28][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] timeout is not reached yet. Scheduling next DGD query in 17977 ms.

...

[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::CheckDGDTimeStamp(s)] __start__
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] tunnel 0x0x6579d20
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::CheckDGDTimeStamp: current timestamp = I64d and DGD timestamp = I64d
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] timeout reached. Scheduling tunnel test every 2000 ms until 20000.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::CheckDGDTimeStamp(s)] __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::SendTunnelTestPkt(s)] __start__
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::SendTunnelTestPkt(s)] tunnel 0x0x6579d20
[ 97 771][15 Nov 12:47:46][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18006.
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __start__
[ 97 771][15 Nov 12:47:46][tunnel] IPsecTunnel::SendPacket: sending esp packet

...

[ 97 771][15 Nov 12:47:48][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:48][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18007.
[ 97 771][15 Nov 12:47:48][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x.
[ 97 771][15 Nov 12:47:48][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __start__
[ 97 771][15 Nov 12:47:48][tunnel] IPsecTunnel::SendPacket: sending esp packet

...

x10 times

...

[ 97 771][15 Nov 12:48:04][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:48:04][tunnel] [COVERAGE] [IkeTunnel::SendTunnelTestPkt(s)] __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:48:06][tunnel] IkeTunnel::TunnelTestTimeout: stop sending tunnel tests packets. deschedule SendTunnelTestPkt
[ 97 771][15 Nov 12:48:06][tunnel] IkeTunnel::TunnelTestTimeout:Tunnel is disconnected !!!!

0 Kudos
Anton_Kazantsev
Contributor
‎2018-11-15 03:35 AM

ok, all day I tried to fix this issue and and that's what I discovered:

when I switched off Implied rules "Accept Control Connections" and write my own rule for tunnel_test port everything works fine. But when I turn everything back - "sessions timeouts" returned

0 Kudos
Anton_Kazantsev
Contributor
‎2018-11-15 04:02 AM

commented /* #define ENABLE_TUNNEL_TEST */ in implied_rules.def and added explicit rule in policy

We'll see what it makes

0 Kudos
Anton_Kazantsev
Contributor
‎2018-11-15 10:21 AM
In response to Anton_Kazantsev

Nah, does not work(

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-15 11:04 AM

I recommed getting the TAC involved

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top