Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Constant S2S IPsec VPN outages

Hello, everyone.

I currently have several S2S VPNs created, some inherited from the previous administrator, and many others newly created.

We have a concern, many of these VPNs, old and new, tend to have the "recurring detail" that every so often, the VPN crashes.

I have the impression that this is due to the lack of traffic on the VPN itself.
Is this normal behavior in Checkpoint?
Is there a way to "keep the tunnel up all the time"?

In addition to this, a general query regarding Checkpoint's VPNs. Parameters such as NAT-T and DPD in CP Firewalls are disabled by default, correct?
If any of these 2 parameters are enabled, they affect ALL VPNs that have been created. ????

Greetings.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Unless you've enabled Permanent Tunnels, this is expected behavior.
We use both a Tunnel Test (CP proprietary) and DPD, depending on the configuration.
I believe DPD is default for NEW installs of R81 and above and can be configured per-peer.
See: https://support.checkpoint.com/results/sk/sk108600#Scenario%204 and the doc I linked earlier.
NAT-T is a global (per gateway) setting per: https://support.checkpoint.com/results/sk/sk32664 

0 Kudos
Matlu
Advisor

Hello,

If my Checkpoint does not have the DPD enabled for a VPN, but the remote peer does have this parameter active, can this be the reason for the constant "intermittency" in the VPN?

Greetings.

0 Kudos
PhoneBoy
Admin
Admin

Any difference in setting between the two ends can cause this, including DPD settings.

0 Kudos
Matlu
Advisor

A question,

What is the most "Feasible" alternative to validate if the VPN tunnels are up or down?

Is SmartView Monitor a viable option?

Or is the CLI the best option to validate this?

 

I seem to have read at some point about a SCRIPT that would inform you of the status of the tunnels.

Is this real?

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Set Permanent Tunnels on the VPN Community (depending on your code version you may need to switch it to DPD mode for non-Check Point VPN peers) and then set mail/SNMP alerts to fire if the tunnel falls down but can't get back up.  This page is from my Max Power book:

vpn_alerts.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Timothy,

so if i enable DPD do we need to set permanent tunnels ? or it is not necessary?

thanks

0 Kudos
Timothy_Hall
Legend Legend
Legend

Usually you'd want permanent tunnels enabled when using DPD, but it looks like it is not strictly required:

https://community.checkpoint.com/t5/Security-Gateways/Enable-DPD-on-R80-20/m-p/32605

Note that by default starting in R81 if an Interoperable Device type is participating in a VPN Community and Permanent Tunnels are enabled, DPD mode will be set automatically for that VPN peer, no GUIDBedit required.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events