We have two new 1555 and 1575 Quantum Spark gateways. Both are the latest version R81.10.17. When we setup a VPN tunnel the 1575 create a tunnel and can ping the LAN interface on the 1555. The 1555 creates the tunnel ( VPN TU shows there are tunnels) but we cannot ping the interface on the 1575. When we first set it up, it worked perfectly. It eventually went down in the middle of the night and we cannot get it back up no matter what. We contacted support and they were clueless and told me I have to wait until Sunday night (this is a critical matter, company relies on this tunnel to be up 24/7). I deleted the tunnels, re-recreated, cleared SAs in VPU TU, rebooted both firewalls, nothing works. The company I installed these for isn't very pleased. They are telling me they want to go back to their 10+ year old Barracuda's and want their money back because I can't get a simple site to site VPN setup. BTW I manage 50+ Quantum spark and it seems like VPN tunnels get worse and worse through the years. I still have 700 series tunnels that haven't dropped in 8 years, but these new 1500s can't hold a tunnel for a couple hours.
Also, btw, all of the traffic selectors are fine. I am just doing what I always do and let the checkpoint handle the local encryption domains automatically.
Also both are locally managed.
Here are the errors I am getting,
Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <redacted> <255.255.255.254> <224.0.0.0 - 224.0.0.255> MyTSr: <redacted> <192.168.90.0 - 192.168.90.255> <224.0.0.0 - 224.0.0.255> Peer TSi: <192.168.90.0 - 192.168.90.255>
Child SA exchange: Exchange failed: timeout reached.
IKE failure: Informational exchange: Sending notification to peer: Invalid IKE SPI IKE SPIs: 9eabb7e44f833352:50570df6387b0035
dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted;
