cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Unstable VPN tunnels

Hi,

we have several sites where we can not get a decent internet connection. We are using a 4G router for those locations and have put 600 or 700 series appliances behind it. They get a dynamic IP so we are using a VPN community with certificates for these DAIP gateways.

VPN tunnels get built and everything works but we notice the lines are unstable. It also seems that when internet is available again, that the VPN tunnel refuses to re-establish. It takes some time before (some counters?) something gets reset and the tunnel can be rebuild again. The quickest way the end users know is rebooting the firewall.

Does anyone have any suggestions for creating more stable VPN tunnels on unstable lines? I don't know if the permanent tunnels feature would help here? Or is that designed for more stable lines?

Thanks in advance for tips & tricks!

14 Replies
Highlighted

Re: Unstable VPN tunnels

Permanent Tunnels is exactly what you need to do.  IKE/IPSec do not have any kind of keepalive mechanism built into them, thus why your tunnels don't seem to come back quickly after a connectivity problem.   Dead Peer Detection (DPD) was introduced later to deal with this oversight; Permanent Tunnels is essentially Check Point's version of DPD with a few other enhancements.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Unstable VPN tunnels

Tnx, we configured permanent tunnels now and will evaluate.

0 Kudos

Re: Unstable VPN tunnels

tell us how that was?

0 Kudos

Re: Unstable VPN tunnels

Hey, permanent tunnels helped stability but it isn't perfect. I would still recommend it though.

0 Kudos

Re: Unstable VPN tunnels

Btw, even with permanent tunnels you may run into situation where VPN is stuck and needs to be reset. One way to do it is through SmartView Monitor. I personally found the more effective way to do it is by using 'vpn tu' command. Choose option '7' and give remote GW IP. 

Re: Unstable VPN tunnels

That is correct and that is what we use if we have to fix the issue for the customer. Another way is to reboot the 600/700 appliance at the remote office.

0 Kudos

Re: Unstable VPN tunnels

I read this topic and I assume that the tunnel exist between two Checkpoint firewalls. Is there any chance to enable DPD between Checkpoint and 3rd party device, in my case Cisco ASA firewall? I found the following sk but I'm not sure, if that helps (1/B part):

New VPN features in R77.10 

My only solution is to reset the tunnel every single day

0 Kudos

Re: Unstable VPN tunnels

Hi, our issue was between 2 Check Point firewalls.

Interesting sk though as I normally don't use DPD in the VPN configuration of the 3rd party firewall. If one side uses DPD it could create issues for the VPN stability. But if both could use it, then in theory, the VPN should be more stable.

Never tried those steps, but maybe someone else did on this forum?

this sk about 3rd party VPN's also mentions using DPD

0 Kudos

Re: Unstable VPN tunnels

Exactly what is your problem with that 3rd party firewall ? Unstable Internet connection ?

0 Kudos

Re: Unstable VPN tunnels

Actually I have problem with VPN tunnel between Checkpoint and ASA firewall. Every single day I have to reset the tunnel because a particular traffic does not work, only after the reset. What I observed that the Checkpoint likes supernetting and found 'invalid ID information' in the SmartView Tracker logs. Now I tried to disable supernetting in user.def file and still use the same encryption domain on both side. I'll be curious, if this mitigate or solve the issue.
Unfortunately, with use of DPD changed nothing.

0 Kudos

Re: Unstable VPN tunnels

You need to set your tunnel sharing "Per Host" when peering with Cisco device. It is the only way it works for me.

0 Kudos

Re: Unstable VPN tunnels

I haven't tried it yet but that will be the next step. Meanwhile I checked the tunnel status again, it seems that still working, thus user.def modification mitigated the issue. I'll monitor the tunnel for a few days.

0 Kudos

Re: Unstable VPN tunnels

The user.def file modification will override the Tunnel Sharing setting for the subnets configured within it, so changing the setting should not be necessary.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Unstable VPN tunnels

Thank you for the info! Meanwhile I checked the tunnel again and still working. It seems that the encryption domain mismatch was the main issue in my case.