This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
startlook
Explorer
‎2022-08-09 02:13 AM

Crash VPN if CPSM server is not available

Good afternoon!
If our CPSM server is not available, then the VPN on the devices in the branch stops working after 24 hours hours or less. This is the expected result. But we would like to increase this time in case the CPSM fails. We used on the information in this article: https://indeni.com/blog/check-point-firewalls-certification-revocation-list-crl-check-mechanism-on-a...
We supposed that the problem occurs when a device in a branch office cannot get an up-to-date list of CRL.

Branches use CheсkPoint 1430/1530. Everything is managed centrally through CPSM.
The CRL file on the device itself in the /pfrm2.0/config1/fw1/database directory is up to date.The internal_ca parameters are set to "Fetch new CRL after 48 hours", but the desired result has not been achieved. VPN disconnected again after 24 hours.
How can we increase VPN uptime if CPSM is not available?

In the admin guide I found the following information:
"If CRL Cache is enabled, choose whether a CRL is deleted from the cache when it expires or after a fixed period of time (unless it expires first). The second option encourages retrieval of a CRL more often as CRLs may be issued more frequently than the expiry time. By default a CRL is deleted from the cache after 24 hours."

With any cache settings in the properties of the certificate authority, will the cache on the device in the branch office be cleared after 24 hours anyway? Is there a way to keep the VPN working if the CPSM/CRL Server is unavailable?

Labels
0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-08-09 04:37 AM

Some options exist, do you have a secondary manager?

Please refer:

sk100731: VPNs go down within 24 hours after primary Security Management server goes down

sk21156: Disabling CRL checking when authenticating with certificates

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin
‎2022-08-09 05:05 AM

CRL is an important part of secured VPN. Once CLR cache is expired GWs are supposed to pull the new one. CRL expiration time is set in the Global Properties on your Management Server.

If your SmartManagment Server is down for a long time, VPN tunnel failure is very likely. I would suggest Management HA.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events