- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dear Members,
Currently, I have a Site-to-Site VPN connecting the HQ site, which utilizes a Checkpoint Quantum Spark 1550 appliance, to the Branch site,which employs a Palo Alto 220. Phase 1 lifetime set 8 hour in both and Phase 2 lifetime set 1 hour in both firewalls.
The tunnel is up and running, but during a recent blackout at the HQ site that lasted for an hour, the VPN tunnel went down. Once power was restored, the VPN tunnel reestablished itself. However, a new problem emerged - after a few minutes, the tunnel began going down and up frequently.
To address this issue, I attempted to clean both Phase 1 and Phase 2 from the HQ site (using Checkpoint) by using the CLI command "vpn tunnelutil 0." After executing this command, the tunnel remained stable for the entire day.
I am uncertain whether this is beyond my knowledge of both firewalls for troubleshooting. The UDP timeout session for both firewalls is set to 30 seconds. How can I resolve these issues without resorting to running the CLI command "vpn tunnelutil 0"? This is crucial as blackouts occur four times a day in our country.
Please, could you kindly help me with these issues?
Is SMB locally or centrally managed? I would also contact TAC for this, but maybe before you do, upgrade SMB appliance to the latest firmware, as Im sure that will be siggested.
Make sure in smart console, when you go to blobal properties -> advanced -> configure -> vpn -> ike, keep ike SAs is enabled
I would also check below
Best,
Andy
Dear The Rock,
It's locally managed and current version is latest.
As I understand it, Tunnel Health Monitoring, specifically the 'Tunnel Test' (Checkpoint Proprietary), is employed when both sides of the firewall are Checkpoint. My current design, however, involves a connection from Checkpoint to Palo Alto. Is my understanding correct, and is this why I am utilizing the 'Tunnel Test'?
Should i also contact TCA for this?
Fri 12 Dec 2025 @ 10:00 AM (CET)
Check Mates Live Netherlands: #41 AI & Multi Context ProtocolTue 16 Dec 2025 @ 05:00 PM (CET)
Under the Hood: CloudGuard Network Security for Oracle Cloud - Config and Autoscaling!Fri 12 Dec 2025 @ 10:00 AM (CET)
Check Mates Live Netherlands: #41 AI & Multi Context ProtocolTue 16 Dec 2025 @ 05:00 PM (CET)
Under the Hood: CloudGuard Network Security for Oracle Cloud - Config and Autoscaling!Thu 18 Dec 2025 @ 10:00 AM (CET)
Cloud Architect Series - Building a Hybrid Mesh Security Strategy across clouds