Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

Problems enabling DPD for Centrally Managed 1450 SMB Gateway

Has anyone successfully been able to get Dead Peer Detection in any mode working on a centrally managed SMB gateway? We just installed FortiGates in our core to terminate the VPNs from our branch CheckPoints (1120s/1450s) and I noticed no matter what settings I use in GUIDBEdit to turn Dead Peer Detection on with permanent tunnels, the 1450 still just constantly sends Tunnel_Test keepalives which the FortiGate Drops. 

 

I have looked at sk131292 and opened a TAC case based on it but the engineer either though this couldn't be done or it should be contained in newer hotfixes. I'm currently on the newest hotfix R77.20.87.

 

I do see that it says it's a resolved issue in R77.20.70 as well https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I just want to do whatever I can to get this tunnel stable, I've tried changing the FortiGate IKE parameters to subnet mode, tried changing the CheckPoint to tunnel sharing Per Gateway, Per Subnet, Per Host, I've tried permanent tunnels off, I've tried DPD in every setting on the FortiGate side, I've tried using GUIDBEdit to change the tunnel keepalive mechanism on the 1450 between tunnel_test, passive and DPD but in any mode it just sends tunnel tests on port 18264.

I see the FortiGate keeps sending IPSEC-SA deletes constantly and Dead Peer Detection is what I keep coming back to so both sides agree on how to handle these.

0 Kudos
5 Replies
Highlighted
Admin
Admin

Not sure if this option exists in a centrally managed configuration, but:

Screen Shot 2020-05-01 at 12.12.01 PM.png

0 Kudos
Highlighted
Copper

Well I think this would be the equivalent GuiDBEdit setting and I've tried it true and false (although I can't really tell if Centrally Managed SMB gateways pay attention to GUIDBEdit settings)

 

dpd1.PNG

 

Also most of the advanced settings in the Gaia Embedded Web Gui seem to be hidden when it's Centrally Managed mode, this is all I see:

 

dpd2.PNG

 

I've tried editing the equivalent advanced settings in clish but I can't tell if most of those settings are support when it's centrally managed either, especially since in Centrally Managed mode a lot of the clish functionality you'd get in Locally Managed mode to do with VPNs does nothing.

0 Kudos
Admin
Admin

sk131292 suggests there's a hotfix for this that is integrated into R77.20.80.
However, the settings it tells you to enable in the UI are only relevant when locally managed.
Which suggests it's probably possible for centrally managed, but we need to enable the right options.
A TAC case may be required here.
0 Kudos
Highlighted

Have you changed this setting:

Capture.PNG

0 Kudos
Highlighted
Copper

Yes "I've tried using GUIDBEdit to change the tunnel keepalive mechanism on the 1450 between tunnel_test, passive and DPD but in any mode it just sends tunnel tests on port 18264." I've then saved the change and pushed policy any time I've made GUIDBEdit changes too.

dpd3.PNG

0 Kudos