This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aidan_Luby
Collaborator
‎2020-05-01 09:15 AM

Problems enabling DPD for Centrally Managed 1450 SMB Gateway

Has anyone successfully been able to get Dead Peer Detection in any mode working on a centrally managed SMB gateway? We just installed FortiGates in our core to terminate the VPNs from our branch CheckPoints (1120s/1450s) and I noticed no matter what settings I use in GUIDBEdit to turn Dead Peer Detection on with permanent tunnels, the 1450 still just constantly sends Tunnel_Test keepalives which the FortiGate Drops. 

 

I have looked at sk131292 and opened a TAC case based on it but the engineer either though this couldn't be done or it should be contained in newer hotfixes. I'm currently on the newest hotfix R77.20.87.

 

I do see that it says it's a resolved issue in R77.20.70 as well https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I just want to do whatever I can to get this tunnel stable, I've tried changing the FortiGate IKE parameters to subnet mode, tried changing the CheckPoint to tunnel sharing Per Gateway, Per Subnet, Per Host, I've tried permanent tunnels off, I've tried DPD in every setting on the FortiGate side, I've tried using GUIDBEdit to change the tunnel keepalive mechanism on the 1450 between tunnel_test, passive and DPD but in any mode it just sends tunnel tests on port 18264.

I see the FortiGate keeps sending IPSEC-SA deletes constantly and Dead Peer Detection is what I keep coming back to so both sides agree on how to handle these.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-05-01 12:13 PM

Not sure if this option exists in a centrally managed configuration, but:

Screen Shot 2020-05-01 at 12.12.01 PM.png

0 Kudos
Aidan_Luby
Collaborator
‎2020-05-01 12:24 PM
In response to PhoneBoy

Well I think this would be the equivalent GuiDBEdit setting and I've tried it true and false (although I can't really tell if Centrally Managed SMB gateways pay attention to GUIDBEdit settings)

 

dpd1.PNG

 

Also most of the advanced settings in the Gaia Embedded Web Gui seem to be hidden when it's Centrally Managed mode, this is all I see:

 

dpd2.PNG

 

I've tried editing the equivalent advanced settings in clish but I can't tell if most of those settings are support when it's centrally managed either, especially since in Centrally Managed mode a lot of the clish functionality you'd get in Locally Managed mode to do with VPNs does nothing.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-01 12:40 PM
In response to Aidan_Luby

sk131292 suggests there's a hotfix for this that is integrated into R77.20.80.
However, the settings it tells you to enable in the UI are only relevant when locally managed.
Which suggests it's probably possible for centrally managed, but we need to enable the right options.
A TAC case may be required here.
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-05-01 08:34 PM

Have you changed this setting:

Capture.PNG

0 Kudos
Aidan_Luby
Collaborator
‎2020-05-04 08:41 AM
In response to HristoGrigorov

Yes "I've tried using GUIDBEdit to change the tunnel keepalive mechanism on the 1450 between tunnel_test, passive and DPD but in any mode it just sends tunnel tests on port 18264." I've then saved the change and pushed policy any time I've made GUIDBEdit changes too.

dpd3.PNG

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events