This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Sentinela
Contributor
‎2022-05-23 05:15 AM

VPN Site-To-Site

My client have a site-to-site checkpoint with checkpoint. This permanent tunnel presents the following behavior: 

 

TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 5:45:21 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 5:44:46 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 5:35:19 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 5:34:41 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 5:09:53 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 5:09:16 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:59:36 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:59:01 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:49:31 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:48:56 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:39:18 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:38:41 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:34:16 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:33:41 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:13:53 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:13:20 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:03:44 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:03:06 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 3:53:35 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 3:53:00 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 3:38:21 PM
TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 3:37:45 PM

This behavior extends for a period of 30 days that the maximum I can follow with the logs I have. Does anyone understand this as normal behavior or is it some sort of problem? My client doesn't have any problems stopping it from actually working. But at certain times of the day he faces a certain instability. Has anyone seen any similar behavior?

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-05-23 06:37 AM

Which CP version and Jumbo is running on both sides ? What does the logs from the peer tell you ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pedro_Sentinela
Contributor
‎2022-05-23 10:33 AM
In response to G_W_Albrecht

checkmates - 0- .png

The message is this:

TUNNEL STATUS CHANGE: Peer gateway *** has changed status to DOWN - Today, 4:59:36 PM

TUNNEL STATUS CHANGE: Peer gateway *** has changed status to UP - Today, 4:59:01 PM

And these messages go on for all the days that I monitored (30 days) and they happen in that short amount of time. A few seconds the tunnel goes from down to up and down again.

I would like to understand if a permanet tunnel should have this type of behavior, even with a certain oscillation in the VPN, the real scenario is not as pointed out in the logs.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-23 10:43 PM
In response to Pedro_Sentinela

Customer has SMB appliance running Embedded GAiA - for these kind of devices, such an issue has been encountered before. I would suggest to upgrade to fw1_vx_dep_R80_20_40_992002665 first: sk176145: R80.20.40 for Quantum Spark Appliances

The SKs are very old, sk107735: VPN Tunnel status changes to DOWN/UP randomly on 1100 gatewaysk100316: VPN Tunnel status is 'Down' in Locally Managed 600/1100 appliance's GUI even though the VP..., but you can have a look. This is not an expected behaviour, so you should contact TAC to get it resolved. Please check what exactly is monitored for the VPN status.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events