- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: AWS VPN Site to Site Traffic Issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AWS VPN Site to Site Traffic Issues
Hi all,
I have Checkpoint Gaia 80.20 that is connecting to AWS VPN site to site.
Based on the guidance of AWS site to site VPN, I have created two tunnel interfaces in my checkpoint to the AWS VPC and created BGP configuration, etc. I also set up the IKE and IPsec, NAT-T, permanent tunnel, and also Firewall configuration. Then the connection was successfully established. At that time I didn't use DPD, I used the default mode which was Tunnel Test.
My concern is I am using the network monitoring system that is using SNMP for the inbound and outbound of two tunnel interfaces traffic which is normal and no issues. I am also leveraging the QOS for those two tunnel interfaces in order to limit the traffic. But the issue is the connection in the AWS side which is intermittently up and down. Because of that I decided to use DPD mod for tunnel management then the connection to AWS was becoming great. After a few days, I just realized the traffic of two tunnel interfaces were not being monitored well. In actuality the traffic is operating at about tens Mbps, but the monitoring system was detecting it only operating some bps. I am sure there is no problem in my monitoring system. Therefore the QOS that I was using also did not work well.
Is there any issue if i use DPD so the tunnel interface traffic is not suitable as the real traffic? Because after I use DPD other than Tunnel Test, the tunnel interface traffic becomes an issue.
- Labels:
-
Gaia
-
Site to Site VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DPD is actually what we recommend with third party (non-CHKP) peers.
However, R80.20 is an End of Support release and we've improved DPD support in the R81.x train.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for reply.
How about outgoing traffic on that interface does not correspond to reality when we attempt to withdraw data through vpn tunnel interface. It just shows bps instead of Mbps?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To note per the SK, QOS is not supported when using a route based VPN which is what you are doing with AWS.
Solution ID: sk36157
QOS is not applied to interfaces when Route Based VPN is configured.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You definitely want to use DPD. But, as @JoSec said, qos wont work due to a limitation with route based VPN.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All, thanks for your reply.
The most concerning thing for me is that the two tunnel interfaces traffic didn't work as expected after i was using DPD. Because the incoming and outgoing traffic on that interface does not correspond to reality when we attempt to withdraw data through that interface. It just shows bps instead of Mbps. However, previously, when using the tunnel test, everything ran as expected. But also this is probably not affected by DPD mode that i used and other configuration which is affected. i have attached screenshot for vpn tunnel interface that is always showing near 0 Mbps. Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best to consult with TAC on this, but I feel like this might be expected behavior.
https://help.checkpoint.com