Hello, I manage a hub and spoke topology of around 15 Spark gateways. They are centered around a cluster of two 1800 gateways currently on version: R80.20.40 (992002691)

I used routed VTI tunnels (static routes) towards other branches. I don't know if it's something in configuration but once in a while some of the tunnel stops passing traffic through.

It shows UP from both sides both in GUI and CLI but traffic doesn't get through. This is usually after WAN link outage on some of the branches but it's not always the case. It seems like the tunnel monitoring is broken and it doesn't know to tear up the session and rebuild it when it needs to. I didn't see anything that would help me with this in debug files ike.elg or sfwd.elg.

If I manually disable and enable the tunnel again it will fix the issue.

I first used Checkpoint proprietary monitoring then switched to DPD. The problem is still the same. Gateways on branches are on different version ranging from R80.20.40(2691) to R81.10.05 . Hub has been upgraded before as well, problem is still the same.

What has seemed to help was turning off PFS in tunnel setup but after the upgrade to R81 on some of the branches the situation repeated.

Does someone know what are the recommended settings for IPsec VPN between SMBs ? Especially in case of using cluster on one or on both sides.

Thank You.

Vladimir.