Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hsanity
Contributor
Jump to solution

Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hi,
We have been experiencing an unstable VPN connection at one of our sites. VPN tunnels randomly go down. Looking at the log in the web portal shows "Peer closed connection" and "The peer is no longer responding" between the gateways. We can also see logs like "Informational Exchange Received Delete IPSEC-SA from Peer" coming from the remote gateway. Following is an example of one of the events:

Eventlog_VPN_tunnel_drop_and_restablishment.png

Looking at ike.elg log file indicates towards lots of INVALID-COOKIE before and after phase 1 and phase 2 ike negotiation.

INVALID-COOKIE.png

Troubleshooting steps taken:
1. Cross-checked VPN site settings on both ends
2. Delete and recreate VPN sites on both ends
3. Increased WAN bandwidth from ISP


SMB gateway: 1450 Appliance | Version: R77.20.75 (990172321)

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Before spending too much time troubleshooting this, I recommend upgrading to the latest firmware.
The most recent can be obtained from here: https://support.checkpoint.com/results/sk/sk153433 

View solution in original post

18 Replies
PhoneBoy
Admin
Admin

Before spending too much time troubleshooting this, I recommend upgrading to the latest firmware.
The most recent can be obtained from here: https://support.checkpoint.com/results/sk/sk153433 

the_rock
Legend
Legend

Make sure "keep ike SAs" in global properties is enabled.

Hsanity
Contributor

We are running our gateways with local management. Is it possible to check and enable "keep ike SAs" without a management server?

0 Kudos
G_W_Albrecht
Legend
Legend

Best next steps:

- upgrade to latest firmware

- if the issue persists contact TAC

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend

Not that I know of...I believe that option is only available as per below (from smart console):

Screenshot_1.png

Hsanity
Contributor

Thank you. For local management, I found it under Device > Advanced Settings > VPN Site to Site global settings - Keep IKE SA Keys.

the_rock
Legend
Legend

Good stuff, learned something new today. So any way to tell if it helps or it may take some time?

Hsanity
Contributor

We are trying with keeping the IKE SAs and observing the tunnel for the next several hours. Finger crossed.

0 Kudos
the_rock
Legend
Legend

Honestly, even if that works, I would still upgrade to latest version available. It never hurts to do that with these SMB appliances, it can only help. 

Chris_Atkinson
Employee Employee
Employee

Are you planning to upgrade to R77.20.87 JHF ?

CCSM R77/R80/ELITE
Hsanity
Contributor

Unfortunately, my user account does not have enough privileges to download the hotfix that @PhoneBoy suggested. Logged a separate support on this. Awaiting response.

0 Kudos
PhoneBoy
Admin
Admin

Yes, because your account must be associated with a support agreement.
This is required to download most things from UserCenter.

0 Kudos
the_rock
Legend
Legend

Hey @Hsanity ...any luck with changes made?

Andy

0 Kudos
Hsanity
Contributor

There were still tunnel drops after switching to keep ike SAs. But After upgrading to the latest JHF | fw1_sx_dep_R77_990173120_20.img, haven't had a single tunnel drop in the last 12 hours. This looks promising! But I must say, We have about fifteen other 1450 firewalls that have VPN tunnels to the same central site and this is the only gateway causing issues without the JHF. Thanks so much for the file @the_rock.

G_W_Albrecht
Legend
Legend

As i wrote above: Afaik and refering to sk142355, your issue has nothing to do with Keep IKE SAs...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

They all need upgrading in that case as R77.20.75 has been End-of-support for almost 3-years already.

Refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Glad it helped you.

0 Kudos
G_W_Albrecht
Legend
Legend

Why ? See explanation in sk142355: Enabling this parameter changes the behavior so that the Security Gateway keeps all Phase 1 and Phase 2 keys after a policy installation to work around interoperability issues with 3rd party VPN peers.

I do not see any issue after policy installation mentioned here...

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events