This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
3 weeks ago

VPN issue during WAN failover on Quantum Spark (R81.10.17)

Hi community,

I’d like to ask if anyone has experienced this behavior or if there’s any documentation or workaround available for this scenario.

We currently have a Quantum Spark appliance (R81.10.17) with two Internet links configured in redundant mode. The issue occurs when a failover happens:

  • When one of the links is disconnected, the other correctly takes over general traffic, but the site-to-site VPN tunnel drops and does not automatically reconnect.

  • We confirmed this using the vpn tu command, where the tunnel goes down exactly when the link switches, and it won’t reconnect unless we manually reboot the appliance.

  • Additionally, even when restoring the second link, the VPN tunnel does not come back up automatically — it remains down until a manual reboot is performed.

Actions we’ve tried so far:

  • Updated the appliance to R81.10.17.

  • Adjusted Load Balancing percentages (tested with 50/50 and 60/40) — same behavior.

  • Renewed the VPN certificate (valid for 1 year) — no improvement.

  • Verified both public IP addresses for the Internet links, since the gateway object was created with Dynamic IP (DAIP) in SmartConsole.

Questions:

  • Is there any additional configuration required to force the VPN to automatically reconnect after a WAN failover or when both links are restored?

  • Is there a script, workaround, or recommended procedure to restart the VPN tunnels (or VPN services) automatically upon detecting the link change, avoiding a full appliance reboot?

Any experience, advice, or documentation you could share would be greatly appreciated.

Thanks in advance!

0 Kudos
10 Replies
TJ_Aus
Contributor
3 weeks ago

Do you have monitoring setup on the interface? We had a similar issue and setup monitoring (ping the upstream DNS servers) and that sorted our issue
monitoring.JPG

0 Kudos
jennyado
Collaborator
3 weeks ago
In response to TJ_Aus

Yes, we do have monitoring configured on both WAN interfaces.  The issue is that when one link goes down, although general traffic switches correctly to the remaining link, the VPN tunnel drops and doesn't re-establish automatically on the surviving link — unless we  reboot the appliance.

Same when both links are back — the tunnel won’t restore on its own.

0 Kudos
the_rock
Legend
Legend
3 weeks ago

Make sure these are ebanled.

VPN community has "Keep VPN tunnel open" enabled

DPD is enabled under Advanced Settings > Tunnel Management.

Andy

jennyado
Collaborator
3 weeks ago
In response to the_rock

I guess you mean that enabling "Keep VPN tunnel open" is the same as setting Set Permanent Tunnels?

 

Captura de pantalla 2025-06-20 093604.png

I looked for the DPD setting under Advanced Settings > Tunnel Management in SmartConsole R81.20, but it’s not there.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to jennyado

If its set to permanent tunnel option, which it is, thats fine then.

Andy

0 Kudos
the_rock
Legend
Legend
3 weeks ago

Question...so when this happens, are there any logs/indication as to why tunnel is down? Does it even show phase 1 or even that does not come up?

Andy

0 Kudos
jennyado
Collaborator
3 weeks ago
In response to the_rock

I looked for logs during the test schedule, but only VPN Routing logs appeared.
It was noticed that sometimes the tunnel would appear like this:

Captura de pantalla 2025-06-20 104135.png

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to jennyado

What about any of below commands? Just replace ip-addr with the right IP address.

Andy

vpn tu list
Usage:
vpn tu list ike
vpn tu list ipsec
vpn tu list peer_ike ip-addr
vpn tu list peer_ipsec ip-addr
vpn tu list tunnels
vpn tu tlist
vpn tu mstats
vpn tu del ipsec all
vpn tu del ipsec ip-addr
vpn tu del ipsec ip-addr username
vpn tu del ipsec ip-addr from ip-addr to ip-addr
vpn tu del all
vpn tu del ip-addr
vpn tu del ip-addr username
vpn tu del ip-addr from ip-addr to ip-addr
vpn tu conn

jennyado
Collaborator
3 weeks ago
In response to the_rock

Currently, the VPN tunnel is up and working fine. When I run the commands you shared, everything looks normal.

The issue happens when there’s a failure on one of the WAN links. Specifically, when the primary link —which has the active VPN tunnel— goes down and all traffic switches to the secondary link. At that point, the VPN tunnel does not reconnect automatically.

As far as I understand, with our current configuration, it should automatically re-establish the tunnel, right? At the moment, we’re not experiencing the issue because the primary link is stable, but I’m checking to see if there’s any missing configuration or if it’s something we should escalate to TAC.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to jennyado

Thats very logical approach to me. Hey, if you are allowed to do remote, I would be happy to check as well.

Let me know.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events