Re: VPN Site-To-Site

Pedro_Sentinela · ‎2022-05-23

My client have a site-to-site checkpoint with checkpoint. This permanent tunnel presents the following behavior:

TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 5:45:21 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 5:44:46 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 5:35:19 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 5:34:41 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 5:09:53 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 5:09:16 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:59:36 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:59:01 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:49:31 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:48:56 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:39:18 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:38:41 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:34:16 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:33:41 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:13:53 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:13:20 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:03:44 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:03:06 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 3:53:35 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 3:53:00 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 3:38:21 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 3:37:45 PM

This behavior extends for a period of 30 days that the maximum I can follow with the logs I have. Does anyone understand this as normal behavior or is it some sort of problem? My client doesn't have any problems stopping it from actually working. But at certain times of the day he faces a certain instability. Has anyone seen any similar behavior?

G_W_Albrecht · ‎2022-05-23

Which CP version and Jumbo is running on both sides ? What does the logs from the peer tell you ?

CCSE CCTE SMB Specialist

Pedro_Sentinela · ‎2022-05-23

The message is this:

TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:59:36 PM

TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:59:01 PM

And these messages go on for all the days that I monitored (30 days) and they happen in that short amount of time. A few seconds the tunnel goes from down to up and down again.

I would like to understand if a permanet tunnel should have this type of behavior, even with a certain oscillation in the VPN, the real scenario is not as pointed out in the logs.

G_W_Albrecht · ‎2022-05-23

Customer has SMB appliance running Embedded GAiA - for these kind of devices, such an issue has been encountered before. I would suggest to upgrade to fw1_vx_dep_R80_20_40_992002665 first: sk176145: R80.20.40 for Quantum Spark Appliances

The SKs are very old, sk107735: VPN Tunnel status changes to DOWN/UP randomly on 1100 gateway, sk100316: VPN Tunnel status is 'Down' in Locally Managed 600/1100 appliance's GUI even though the VP..., but you can have a look. This is not an expected behaviour, so you should contact TAC to get it resolved. Please check what exactly is monitored for the VPN status.

CCSE CCTE SMB Specialist

VPN Site-To-Site

VPN traffic getting blocked

1450 Firmware higher, that R77.20.87

Fix for Possible CPU Instability in 1600/1800 Quan...

cloud_update_gw_stats.xml takes on tmp folder up ...

Implied Rules SMB

Are you a member of CheckMates?