This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
izzetchakrat
Explorer
‎2023-11-14 07:02 PM

AWS VPN Site to Site Traffic Issues

Hi all,

I have Checkpoint Gaia 80.20 that is connecting to AWS VPN site to site.

Based on the guidance of AWS site to site VPN, I have created two tunnel interfaces in my checkpoint to the AWS VPC and created BGP configuration, etc. I also set up the IKE and IPsec, NAT-T, permanent tunnel, and also Firewall configuration. Then the connection was successfully established. At that time I didn't use DPD, I used the default mode which was Tunnel Test.

My concern is I am using the network monitoring system that is using SNMP for the inbound and outbound of two tunnel interfaces traffic which is normal and no issues. I am also leveraging the QOS for those two tunnel interfaces in order to limit the traffic. But the issue is the connection in the AWS side which is intermittently up and down. Because of that I decided to use DPD mod for tunnel management then the connection to AWS was becoming great. After a few days, I just realized the traffic of two tunnel interfaces were not being monitored well. In actuality the traffic is operating at about tens Mbps, but the monitoring system was detecting it only operating some bps. I am sure there is no problem in my monitoring system. Therefore the QOS that I was using also did not work well. 

Is there any issue if i use DPD so the tunnel interface traffic is not suitable as the real traffic? Because after I use DPD other than Tunnel Test, the tunnel interface traffic becomes an issue.

Labels
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-11-15 10:13 AM

DPD is actually what we recommend with third party (non-CHKP) peers.
However, R80.20 is an End of Support release and we've improved DPD support in the R81.x train.

0 Kudos
izzetchakrat
Explorer
‎2023-11-20 02:15 AM
In response to PhoneBoy

Hi, thanks for reply.
How about outgoing traffic on that interface does not correspond to reality when we attempt to withdraw data through vpn tunnel interface. It just shows bps instead of Mbps?

0 Kudos
JoSec
Collaborator
‎2023-11-15 11:36 AM

To note per the SK, QOS is not supported when using a route based VPN which is what you are doing with AWS.

Solution ID: sk36157
QOS is not applied to interfaces when Route Based VPN is configured.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-15 01:26 PM

You definitely want to use DPD. But, as @JoSec said, qos wont work due to a limitation with route based VPN.

Andy

Best,
Andy
0 Kudos
izzetchakrat
Explorer
‎2023-11-15 11:30 PM

Hi All, thanks for your reply.

The most concerning thing for me is that the two tunnel interfaces traffic didn't work as expected after i was using DPD. Because the incoming and outgoing traffic on that interface does not correspond to reality when we attempt to withdraw data through that interface. It just shows bps instead of Mbps. However, previously, when using the tunnel test, everything ran as expected. But also this is probably not affected by DPD mode that i used and other configuration which is affected. i have attached screenshot for vpn tunnel interface that is always showing near 0 Mbps. Thank you

Preview file
27 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-20 03:15 PM
In response to izzetchakrat

Best to consult with TAC on this, but I feel like this might be expected behavior.
https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events