This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-07-05 01:02 PM

Constant S2S IPsec VPN outages

Hello, everyone.

I currently have several S2S VPNs created, some inherited from the previous administrator, and many others newly created.

We have a concern, many of these VPNs, old and new, tend to have the "recurring detail" that every so often, the VPN crashes.

I have the impression that this is due to the lack of traffic on the VPN itself.
Is this normal behavior in Checkpoint?
Is there a way to "keep the tunnel up all the time"?

In addition to this, a general query regarding Checkpoint's VPNs. Parameters such as NAT-T and DPD in CP Firewalls are disabled by default, correct?
If any of these 2 parameters are enabled, they affect ALL VPNs that have been created. ????

Greetings.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-07-05 02:47 PM

Unless you've enabled Permanent Tunnels, this is expected behavior.
We use both a Tunnel Test (CP proprietary) and DPD, depending on the configuration.
I believe DPD is default for NEW installs of R81 and above and can be configured per-peer.
See: https://support.checkpoint.com/results/sk/sk108600#Scenario%204 and the doc I linked earlier.
NAT-T is a global (per gateway) setting per: https://support.checkpoint.com/results/sk/sk32664 

0 Kudos
Matlu
Advisor
‎2023-07-05 03:21 PM
In response to PhoneBoy

Hello,

If my Checkpoint does not have the DPD enabled for a VPN, but the remote peer does have this parameter active, can this be the reason for the constant "intermittency" in the VPN?

Greetings.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-05 03:37 PM
In response to Matlu

Any difference in setting between the two ends can cause this, including DPD settings.

0 Kudos
Matlu
Advisor
‎2023-07-05 05:00 PM
In response to PhoneBoy

A question,

What is the most "Feasible" alternative to validate if the VPN tunnels are up or down?

Is SmartView Monitor a viable option?

Or is the CLI the best option to validate this?

 

I seem to have read at some point about a SCRIPT that would inform you of the status of the tunnels.

Is this real?

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-07-06 06:48 AM
In response to Matlu

Set Permanent Tunnels on the VPN Community (depending on your code version you may need to switch it to DPD mode for non-Check Point VPN peers) and then set mail/SNMP alerts to fire if the tunnel falls down but can't get back up.  This page is from my Max Power book:

vpn_alerts.png

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-07-18 01:16 AM
In response to Timothy_Hall

Hello Timothy,

so if i enable DPD do we need to set permanent tunnels ? or it is not necessary?

thanks

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-07-19 05:28 AM
In response to CheckPointerXL

Usually you'd want permanent tunnels enabled when using DPD, but it looks like it is not strictly required:

https://community.checkpoint.com/t5/Security-Gateways/Enable-DPD-on-R80-20/m-p/32605

Note that by default starting in R81 if an Interoperable Device type is participating in a VPN Community and Permanent Tunnels are enabled, DPD mode will be set automatically for that VPN peer, no GUIDBedit required.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top