This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Jeroen_Demets
Collaborator
‎2017-11-29 08:29 AM

Unstable VPN tunnels

Hi,

we have several sites where we can not get a decent internet connection. We are using a 4G router for those locations and have put 600 or 700 series appliances behind it. They get a dynamic IP so we are using a VPN community with certificates for these DAIP gateways.

VPN tunnels get built and everything works but we notice the lines are unstable. It also seems that when internet is available again, that the VPN tunnel refuses to re-establish. It takes some time before (some counters?) something gets reset and the tunnel can be rebuild again. The quickest way the end users know is rebooting the firewall.

Does anyone have any suggestions for creating more stable VPN tunnels on unstable lines? I don't know if the permanent tunnels feature would help here? Or is that designed for more stable lines?

Thanks in advance for tips & tricks!

Reply
14 Replies
Timothy_Hall
Champion
Champion
‎2017-11-29 09:07 AM

Permanent Tunnels is exactly what you need to do.  IKE/IPSec do not have any kind of keepalive mechanism built into them, thus why your tunnels don't seem to come back quickly after a connectivity problem.   Dead Peer Detection (DPD) was introduced later to deal with this oversight; Permanent Tunnels is essentially Check Point's version of DPD with a few other enhancements.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Jeroen_Demets
Collaborator
‎2017-11-30 07:51 AM
In response to Timothy_Hall

Tnx, we configured permanent tunnels now and will evaluate.

0 Kudos
Reply
Beja
Contributor
‎2018-11-16 12:44 PM
In response to Jeroen_Demets

tell us how that was?

0 Kudos
Reply
Jeroen_Demets
Collaborator
‎2018-11-19 12:11 AM
In response to Beja

Hey, permanent tunnels helped stability but it isn't perfect. I would still recommend it though.

0 Kudos
Reply
HristoGrigorov
Mentor
Mentor
‎2018-11-16 09:10 PM

Btw, even with permanent tunnels you may run into situation where VPN is stuck and needs to be reset. One way to do it is through SmartView Monitor. I personally found the more effective way to do it is by using 'vpn tu' command. Choose option '7' and give remote GW IP. 

Reply
Jeroen_Demets
Collaborator
‎2018-11-19 12:12 AM
In response to HristoGrigorov

That is correct and that is what we use if we have to fix the issue for the customer. Another way is to reboot the 600/700 appliance at the remote office.

0 Kudos
Reply
Dezso_Gesztesi
Participant
‎2019-01-30 02:59 AM

I read this topic and I assume that the tunnel exist between two Checkpoint firewalls. Is there any chance to enable DPD between Checkpoint and 3rd party device, in my case Cisco ASA firewall? I found the following sk but I'm not sure, if that helps (1/B part):

New VPN features in R77.10 

My only solution is to reset the tunnel every single day

0 Kudos
Reply
Jeroen_Demets
Collaborator
‎2019-01-31 02:56 AM
In response to Dezso_Gesztesi

Hi, our issue was between 2 Check Point firewalls.

Interesting sk though as I normally don't use DPD in the VPN configuration of the 3rd party firewall. If one side uses DPD it could create issues for the VPN stability. But if both could use it, then in theory, the VPN should be more stable.

Never tried those steps, but maybe someone else did on this forum?

this sk about 3rd party VPN's also mentions using DPD

0 Kudos
Reply
HristoGrigorov
Mentor
Mentor
‎2019-01-31 11:06 AM
In response to Dezso_Gesztesi

Exactly what is your problem with that 3rd party firewall ? Unstable Internet connection ?

0 Kudos
Reply
Dezso_Gesztesi
Participant
‎2019-02-01 07:14 AM
In response to HristoGrigorov

Actually I have problem with VPN tunnel between Checkpoint and ASA firewall. Every single day I have to reset the tunnel because a particular traffic does not work, only after the reset. What I observed that the Checkpoint likes supernetting and found 'invalid ID information' in the SmartView Tracker logs. Now I tried to disable supernetting in user.def file and still use the same encryption domain on both side. I'll be curious, if this mitigate or solve the issue.
Unfortunately, with use of DPD changed nothing.

0 Kudos
Reply
HristoGrigorov
Mentor
Mentor
‎2019-02-01 08:43 PM
In response to Dezso_Gesztesi

You need to set your tunnel sharing "Per Host" when peering with Cisco device. It is the only way it works for me.

0 Kudos
Reply
Dezso_Gesztesi
Participant
‎2019-02-04 01:43 AM
In response to HristoGrigorov

I haven't tried it yet but that will be the next step. Meanwhile I checked the tunnel status again, it seems that still working, thus user.def modification mitigated the issue. I'll monitor the tunnel for a few days.

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2019-02-04 05:29 AM
In response to Dezso_Gesztesi

The user.def file modification will override the Tunnel Sharing setting for the subnets configured within it, so changing the setting should not be necessary.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Reply
Dezso_Gesztesi
Participant
‎2019-02-07 12:43 AM
In response to Timothy_Hall

Thank you for the info! Meanwhile I checked the tunnel again and still working. It seems that the encryption domain mismatch was the main issue in my case.

Reply