I was using 86.50 and just upgraded to 86.80 with the same issue. Interesting enough, I reinitialized the internal certificate and it works for 3 mins then fails again. If I disable and reenable the the VPN blade, it works then fails 3 mins later

One of my customers had same issue 2 years ago and this is what TAC recommended to fix it and worked fine. IF you do this, MAKE SURE to back up everything (mgmt, gateways), just in case.

Process:

1. Open Guidbedit to network_objects -> Gateway_Object -> VPN -> isakmp.authmethods
 - Change "signatures" to "pre-shared".
 - Save and exit Guidbedit.

2. Open Guidbedit to network_objects -> Gateway_Object -> find certificates section
 - Find defaultCert then right click and delete the cert, and save changes and close 

3. Check to see if default cert is gone in SmartConsole - gateway object - IPsec VPN
 - Create a new cert
 - Install policy

4. Open Guidbedit to network_objects -> Gateway_Object -> VPN -> isakmp.authmethods
 - Change "pre-shared" to "signatures"
 - Save and exit Guidbedit.
 - Install policy

5. Test VPN connection

For context is the appliance locally or centrally managed?

Managed Locally

Nm then, process I gave wont apply, as guidbedit would not even come into place, since management part does not even exists. Personally, I would get on the phone and work with TAC, it sounds like a pretty serious issue that needs a remote session.

Ok Contacting TAC requires a subscription or contract support of some kind ?

Correct, the same contract provides entitlements to software downloads / version upgrades.

Thats right...without it, they cant even open the case in the first place. Do you have a partner that you deal with that can open a case for you or no?

I just called my partner and they will send me info to get added to their account to open TAC. In the meantime. I'm resetting factory and going to test where it messes up and post my results here as well as contacting TAC 

Thats a very good idea. Im sure if you factory reset an appliance, it will most likely work. I did some research for you before, but could not find much sadly on the issue you had. Since I dont have embedded gaia appliance to test anything myself, it would be very hard to say for sure why the issue happened in the first place.

In case you had not started reset yet, would you mind send us the screenshot of vpn certs showing in the GUI?

Andy

Reset already done 😕 I do have a backup of the device though

After resetting, I've had no issues and the clients can connect way after 3 mins. 

It worth noting that I followed the link that phoneboy left in the issue I was having last Saturday which foxed that issue.

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Odd-behavior-using-pppoe-on-Fibre/m-p/170349#...

Other than that, nothing really fancy as setup wise on my end . Simple 3 vlan setup, 5 users for vpn and 2 site to site links

Spoke to soon , it just failed again 

Can you attach a backup, I can check tomorrow. By the way, sorry for my ignorance, Im not overly familiar with these embedded gaia appliances, but if you go to remote access vpn section, does it give a list of the vpn certs there?

Good deal. Well, everyone knows phoneboy is right 99.999% of the time...only time I recall he was wrong was when he said that jumbo hotfixes are included in fw backup, other than that, cant ever remember him being wrong : -)

here is the capture of the vpn cert

Question...can you make sure users actually see the fingerprint when they connect to the site that matches one from the screenshot? Well, technically, they should ONLY see it the first time when creating a site before connecting.

I have a laptop beside me and I can confirm the thumbprint is correct

The fix works, but only temporary. I'm about to go back to version R80.20.15 (992001653) which is the factory defaults. 

Hoping to have access to TAC soon. 

Since your device is locally managed, you might see if an fw_configload (from expert mode) also resolves the problem temporarily.
This is similar to what @Dale_Lobb is doing by pushing the policy from central management.

I would wait before applying the R81 update to the device. I just reverted back to R80.20.50 and connected to PPPOE and everything is working flawlessly. Have a look at the link I posted above about an issue that Ponyboy help me resolve for this week. Reverting back seems to have resolved my issue with my VPN client for now. 

Your device is a 1550 and my older device is a 1530 and I never had that issue with VPN or my site to site. I don't have it setup in a cluster either. I will keep updates to this post should I have a desire to pursue R81

Thats interesting, because Im sure if this was a known issue in R81 version, everyone who upgraded would have had this problem. Let us know what TAC says if you end up opening a case about it.

I didn't upgrade a configured checkpoint though. I started from scratch. The upgrade was done as soon as I was done the first configure stage. Who knows, but this week I wasn't impressed with it 

Its is fairly new, lets hope all the bugs with it are fixed soon, we shall see : - )

Went to bed last night feeling like a guinea pig. I troubleshot that issue all week thinking it was  a Mac issue. Its not always the best to upgrade right away. 

As of this morning, users are coming in with no browsing issues, and all connecting with the VPN client.

I also received my link to activate my account for TAC access and I get an error from their website site that they can't process my request. Click here to activate your account. Then it just loops with e-mails.

/facepalm

Just to make sure we got all the facts straight, as they say : - ). So, currently firmware is R80.20.50 and users connect to the site fine and stay connected, no issues?

Andy