Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
startlook
Explorer

Crash VPN if CPSM server is not available

Good afternoon!
If our CPSM server is not available, then the VPN on the devices in the branch stops working after 24 hours hours or less. This is the expected result. But we would like to increase this time in case the CPSM fails. We used on the information in this article: https://indeni.com/blog/check-point-firewalls-certification-revocation-list-crl-check-mechanism-on-a...
We supposed that the problem occurs when a device in a branch office cannot get an up-to-date list of CRL.

Branches use CheсkPoint 1430/1530. Everything is managed centrally through CPSM.
The CRL file on the device itself in the /pfrm2.0/config1/fw1/database directory is up to date.The internal_ca parameters are set to "Fetch new CRL after 48 hours", but the desired result has not been achieved. VPN disconnected again after 24 hours.
How can we increase VPN uptime if CPSM is not available?

In the admin guide I found the following information:
"If CRL Cache is enabled, choose whether a CRL is deleted from the cache when it expires or after a fixed period of time (unless it expires first). The second option encourages retrieval of a CRL more often as CRLs may be issued more frequently than the expiry time. By default a CRL is deleted from the cache after 24 hours."

With any cache settings in the properties of the certificate authority, will the cache on the device in the branch office be cleared after 24 hours anyway? Is there a way to keep the VPN working if the CPSM/CRL Server is unavailable?

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

0 Kudos
_Val_
Admin
Admin

CRL is an important part of secured VPN. Once CLR cache is expired GWs are supposed to pull the new one. CRL expiration time is set in the Global Properties on your Management Server.

If your SmartManagment Server is down for a long time, VPN tunnel failure is very likely. I would suggest Management HA.

0 Kudos