Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeroen_Demets
Collaborator

Unstable VPN tunnels

Hi,

we have several sites where we can not get a decent internet connection. We are using a 4G router for those locations and have put 600 or 700 series appliances behind it. They get a dynamic IP so we are using a VPN community with certificates for these DAIP gateways.

VPN tunnels get built and everything works but we notice the lines are unstable. It also seems that when internet is available again, that the VPN tunnel refuses to re-establish. It takes some time before (some counters?) something gets reset and the tunnel can be rebuild again. The quickest way the end users know is rebooting the firewall.

Does anyone have any suggestions for creating more stable VPN tunnels on unstable lines? I don't know if the permanent tunnels feature would help here? Or is that designed for more stable lines?

Thanks in advance for tips & tricks!

14 Replies
Timothy_Hall
Champion
Champion

Permanent Tunnels is exactly what you need to do.  IKE/IPSec do not have any kind of keepalive mechanism built into them, thus why your tunnels don't seem to come back quickly after a connectivity problem.   Dead Peer Detection (DPD) was introduced later to deal with this oversight; Permanent Tunnels is essentially Check Point's version of DPD with a few other enhancements.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Jeroen_Demets
Collaborator

Tnx, we configured permanent tunnels now and will evaluate.

0 Kudos
Beja
Contributor

tell us how that was?

0 Kudos
Jeroen_Demets
Collaborator

Hey, permanent tunnels helped stability but it isn't perfect. I would still recommend it though.

0 Kudos
HristoGrigorov

Btw, even with permanent tunnels you may run into situation where VPN is stuck and needs to be reset. One way to do it is through SmartView Monitor. I personally found the more effective way to do it is by using 'vpn tu' command. Choose option '7' and give remote GW IP. 

Jeroen_Demets
Collaborator

That is correct and that is what we use if we have to fix the issue for the customer. Another way is to reboot the 600/700 appliance at the remote office.

0 Kudos
Dezso_Gesztesi
Participant

I read this topic and I assume that the tunnel exist between two Checkpoint firewalls. Is there any chance to enable DPD between Checkpoint and 3rd party device, in my case Cisco ASA firewall? I found the following sk but I'm not sure, if that helps (1/B part):

New VPN features in R77.10 

My only solution is to reset the tunnel every single day

0 Kudos
Jeroen_Demets
Collaborator

Hi, our issue was between 2 Check Point firewalls.

Interesting sk though as I normally don't use DPD in the VPN configuration of the 3rd party firewall. If one side uses DPD it could create issues for the VPN stability. But if both could use it, then in theory, the VPN should be more stable.

Never tried those steps, but maybe someone else did on this forum?

this sk about 3rd party VPN's also mentions using DPD

0 Kudos
HristoGrigorov

Exactly what is your problem with that 3rd party firewall ? Unstable Internet connection ?

0 Kudos
Dezso_Gesztesi
Participant

Actually I have problem with VPN tunnel between Checkpoint and ASA firewall. Every single day I have to reset the tunnel because a particular traffic does not work, only after the reset. What I observed that the Checkpoint likes supernetting and found 'invalid ID information' in the SmartView Tracker logs. Now I tried to disable supernetting in user.def file and still use the same encryption domain on both side. I'll be curious, if this mitigate or solve the issue.
Unfortunately, with use of DPD changed nothing.

0 Kudos
HristoGrigorov

You need to set your tunnel sharing "Per Host" when peering with Cisco device. It is the only way it works for me.

0 Kudos
Dezso_Gesztesi
Participant

I haven't tried it yet but that will be the next step. Meanwhile I checked the tunnel status again, it seems that still working, thus user.def modification mitigated the issue. I'll monitor the tunnel for a few days.

0 Kudos
Timothy_Hall
Champion
Champion

The user.def file modification will override the Tunnel Sharing setting for the subnets configured within it, so changing the setting should not be necessary.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Dezso_Gesztesi
Participant

Thank you for the info! Meanwhile I checked the tunnel again and still working. It seems that the encryption domain mismatch was the main issue in my case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events