Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pyiephyohtay
Contributor

Site to Site VPN frequently UP and DOWN issues

Dear Members,

Currently, I have a Site-to-Site VPN connecting the HQ site, which utilizes a Checkpoint Quantum Spark 1550 appliance, to the Branch site,which employs a Palo Alto 220. Phase 1 lifetime set 8 hour in both and Phase 2 lifetime set 1 hour in both firewalls.

The tunnel is up and running, but during a recent blackout at the HQ site that lasted for an hour, the VPN tunnel went down. Once power was restored, the VPN tunnel reestablished itself. However, a new problem emerged - after a few minutes, the tunnel began going down and up frequently.

To address this issue, I attempted to clean both Phase 1 and Phase 2 from the HQ site (using Checkpoint) by using the CLI command "vpn tunnelutil 0." After executing this command, the tunnel remained stable for the entire day.

I am uncertain whether this is beyond my knowledge of both firewalls for troubleshooting. The UDP timeout session for both firewalls is set to 30 seconds. How can I resolve these issues without resorting to running the CLI command "vpn tunnelutil 0"? This is crucial as blackouts occur four times a day in our country.

Please, could you kindly help me with these issues?

Screenshot 2023-12-22 152621.png

Screenshot 2023-12-22 154632.png

  

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

I would suggest to contact CP TAC to get help !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
pyiephyohtay
Contributor

Dear Albercht,

Thanks for your suggestion bro.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

A blackout should not change anything in VPN configuration on flash-based SMBs so i think this could rather be some configuration issue.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
pyiephyohtay
Contributor

Exactly bro, Coz i have another site to site VPN from HQ site to Azure tunnel is stable, even when the HQ to Branch site VPN happen up down issues, So, Maybe i was mis configuration for that then i tried to triple check the both firewall but still not ok.

0 Kudos
the_rock
Legend
Legend

Is SMB locally or centrally managed? I would also contact TAC for this, but maybe before you do, upgrade SMB appliance to the latest firmware, as Im sure that will be siggested.

Make sure in smart console, when you go to blobal properties -> advanced -> configure -> vpn -> ike, keep ike SAs is enabled

I would also check below

 

Screenshot_1.png

 

Best,

Andy

0 Kudos
pyiephyohtay
Contributor

Dear The Rock,

It's locally managed and current version is latest.

As I understand it, Tunnel Health Monitoring, specifically the 'Tunnel Test' (Checkpoint Proprietary), is employed when both sides of the firewall are Checkpoint. My current design, however, involves a connection from Checkpoint to Palo Alto. Is my understanding correct, and is this why I am utilizing the 'Tunnel Test'?

Should i also contact TCA for this?

Screenshot 2023-12-26 205349.png

Screenshot 2023-12-26 205223.png

0 Kudos
the_rock
Legend
Legend

I think if you call them and do remote, hope they would be able to help.

Best,

Andy

pyiephyohtay
Contributor

Yes bro that is the only way to solve for the issues.😄

Thanks for the help me to answer bro.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events