Hi all,

i'm facing some weird issue with a AWS cluster VPN to third party gateways.

At random times, also after 2 or 3 days, tunnel stucks and reset is needed.

From the capture i see that traffic is correctly encapsulated/decapsulated.

The cluster has external private ip of course.

Now i'm going to describe difference between working and not working tunnels:

WORKING TUNNEL

                    - tcpdump it shows packet sent/received on port 4500

                    - fw monitor it shows correctly bgp sent/received and echo request/reply received

NOT WORKING TUNNEL

                    - tcpdump it show that check point peer sent packet on 4500, remote peer answer with ESP packet (not encapsulated)

                    - fw monitor does not show reply when pinging ptp (it doesn't work), and bgp traffic sent it as id=0:

[vs_0][fw_2] vpnt29:O[44]: 192.168.14.1 -> 192.168.14.2 (TCP) len=52 id=0
TCP: 179 -> 60813 .S..A. seq=c8049c10 ack=7a7186a1

                     on working tunnels id=XXX is incremental

SO, the strange part is that VPN seems to be good (Phase1/2 UP and traffic is encrypted/decrypted), but BGP is down and i cannot ping the remote VTI.

vpn tu del it fix the issue

environment is r81.20 T98

Action taken:

Enabled offer_nat_t_initator, enabled dpd responder

any idea?