The Delete SA functionality does not work properly between different vendors most of the time. As such if one side brings down the tunnel prior to SA lifetime expiration for any reason, the tunnel can get stuck so you have got to make sure they match between the two sides. On Check Point SA lifetimes are expressed in minutes for Phase 1 and seconds for Phase 2, so for 8 hours they should be 480 and 28800, respectively. Recommendations:
1) SA Lifetimes on the Cisco side should be 28800/28800. DO NOT trust what the other administrator tells you they are set to, ask for a screenshot of the config with these values set for your tunnel. I believe you can verify what lifetimes the two sides are specifying in your IKEview traces if you still don't believe the other administrator. 🙂
2) On the Cisco side, make sure the data lifesize is set to an unreachably high value (I don't think it can be flat-out disabled) as that can cause an early tunnel termination and hang.
3) Not sure if this applies anymore, but make sure the VPN tunnel idle timer is DISABLED on the Cisco as that can cause an early tunnel termination as well.
4) Set all checkboxes on Global Properties...Advanced...Configure...VPN Advanced Properties...VPN IKE Properties. Note that these are global properties and may impact other tunnels.
5) Failing all of the above, enable Permanent Tunnels in DPD mode and have the Cisco enable DPD as well. See Scenario 5 of sk108600: VPN Site-to-Site with 3rd party. More of a workaround than a solution, but will allow the two sides to recover themselves when a hang occurs.
Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com