This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeroen_Demets
Collaborator
‎2017-11-29 08:29 AM

Unstable VPN tunnels

Hi,

we have several sites where we can not get a decent internet connection. We are using a 4G router for those locations and have put 600 or 700 series appliances behind it. They get a dynamic IP so we are using a VPN community with certificates for these DAIP gateways.

VPN tunnels get built and everything works but we notice the lines are unstable. It also seems that when internet is available again, that the VPN tunnel refuses to re-establish. It takes some time before (some counters?) something gets reset and the tunnel can be rebuild again. The quickest way the end users know is rebooting the firewall.

Does anyone have any suggestions for creating more stable VPN tunnels on unstable lines? I don't know if the permanent tunnels feature would help here? Or is that designed for more stable lines?

Thanks in advance for tips & tricks!

14 Replies
Timothy_Hall
Legend Legend
Legend
‎2017-11-29 09:07 AM

Permanent Tunnels is exactly what you need to do.  IKE/IPSec do not have any kind of keepalive mechanism built into them, thus why your tunnels don't seem to come back quickly after a connectivity problem.   Dead Peer Detection (DPD) was introduced later to deal with this oversight; Permanent Tunnels is essentially Check Point's version of DPD with a few other enhancements.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Jeroen_Demets
Collaborator
‎2017-11-30 07:51 AM
In response to Timothy_Hall

Tnx, we configured permanent tunnels now and will evaluate.

0 Kudos
Beja
Contributor
‎2018-11-16 12:44 PM
In response to Jeroen_Demets

tell us how that was?

0 Kudos
Jeroen_Demets
Collaborator
‎2018-11-19 12:11 AM
In response to Beja

Hey, permanent tunnels helped stability but it isn't perfect. I would still recommend it though.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2018-11-16 09:10 PM

Btw, even with permanent tunnels you may run into situation where VPN is stuck and needs to be reset. One way to do it is through SmartView Monitor. I personally found the more effective way to do it is by using 'vpn tu' command. Choose option '7' and give remote GW IP. 

Jeroen_Demets
Collaborator
‎2018-11-19 12:12 AM
In response to HristoGrigorov

That is correct and that is what we use if we have to fix the issue for the customer. Another way is to reboot the 600/700 appliance at the remote office.

0 Kudos
Dezso_Gesztesi
Participant
‎2019-01-30 02:59 AM

I read this topic and I assume that the tunnel exist between two Checkpoint firewalls. Is there any chance to enable DPD between Checkpoint and 3rd party device, in my case Cisco ASA firewall? I found the following sk but I'm not sure, if that helps (1/B part):

New VPN features in R77.10 

My only solution is to reset the tunnel every single day

0 Kudos
Jeroen_Demets
Collaborator
‎2019-01-31 02:56 AM
In response to Dezso_Gesztesi

Hi, our issue was between 2 Check Point firewalls.

Interesting sk though as I normally don't use DPD in the VPN configuration of the 3rd party firewall. If one side uses DPD it could create issues for the VPN stability. But if both could use it, then in theory, the VPN should be more stable.

Never tried those steps, but maybe someone else did on this forum?

this sk about 3rd party VPN's also mentions using DPD

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-01-31 11:06 AM
In response to Dezso_Gesztesi

Exactly what is your problem with that 3rd party firewall ? Unstable Internet connection ?

0 Kudos
Dezso_Gesztesi
Participant
‎2019-02-01 07:14 AM
In response to HristoGrigorov

Actually I have problem with VPN tunnel between Checkpoint and ASA firewall. Every single day I have to reset the tunnel because a particular traffic does not work, only after the reset. What I observed that the Checkpoint likes supernetting and found 'invalid ID information' in the SmartView Tracker logs. Now I tried to disable supernetting in user.def file and still use the same encryption domain on both side. I'll be curious, if this mitigate or solve the issue.
Unfortunately, with use of DPD changed nothing.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-02-01 08:43 PM
In response to Dezso_Gesztesi

You need to set your tunnel sharing "Per Host" when peering with Cisco device. It is the only way it works for me.

0 Kudos
Dezso_Gesztesi
Participant
‎2019-02-04 01:43 AM
In response to HristoGrigorov

I haven't tried it yet but that will be the next step. Meanwhile I checked the tunnel status again, it seems that still working, thus user.def modification mitigated the issue. I'll monitor the tunnel for a few days.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-02-04 05:29 AM
In response to Dezso_Gesztesi

The user.def file modification will override the Tunnel Sharing setting for the subnets configured within it, so changing the setting should not be necessary.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Dezso_Gesztesi
Participant
‎2019-02-07 12:43 AM
In response to Timothy_Hall

Thank you for the info! Meanwhile I checked the tunnel again and still working. It seems that the encryption domain mismatch was the main issue in my case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top