Hi Dameon,

as far as I know DPD is not enabled on gateways and Keep_IKE-SAs is not checked so what do you suggest ?

DPD is not enabled by default, that much I know. 

I'll have to confirm my understanding with R&D.

You may also want to check with the TAC as well. 

How To Open a Case with TAC and/or Account Services‌

Hi Dameon,

do you have any update from your R&D team? if I enable DPD does it have any impact to existing IPsec tunnels?

To clarify, the setting controls the method the given gateway can be probed by (Tunnel Test or DPD).

A given gateway can be probed by one or the other, not both.

If you configure the remote gateway object to use DPD and the others in the community remain set to Tunnel Test, your gateway will probe the remote gateway with DPD and the others will use Tunnel Test.

Which I think is what you're after.

Thanks Dameon for your reply

so in this case are the following steps are correct?

1- enable "keep_IKE_SAs " from smart dashboard , global properties , Advanced VPN configuration and then push the policy

2-  Backup the Check Point Registry:

 [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL  

 [Expert@HostName:0]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 

 [Expert@HostName:0]# cpstop ; cpstart

or just step 1 is enough?

I believe you need to do both.

That's in addition to setting the tunnel_keepalive_method property in the remote object to dpd, of course.

We have a similar issue in that our 3rd parties remote gateways intermittently drop because our local peer (gateway) is apparently not responding to DPD requests.

All our 3rd party vpn's are not Checkpoint so to enable our end to respond to DPD requests do we need to edit the peer gateway object in guidbedit and will this require a restart of just the Management station or the gateway as well?

Thanks

What about enabling dpd responder mode only for a single gateway? We had the same intermittent issue where some 3rd party VPN (AWS mostly) drop because our gateway didn't respond to dpd within the last 30s. Looks like dpd responder mode could only be enabled globally and not on a per peer basis.

Thanks

🙂

Yeah, I'm wondering about that, too.  The site to site VPN guide isn't very clear on exactly what happens, but between that and sk108600, it looks like passive responder mode is universal.  Does anyone else concur or know that to be true?

We also have an issue with an AWS cloud based app that has gone down hard twice now in 90 days.  Unfortunately, it's a critical app for our business.  The provider's VPN support is blaming the fact that we do not have Dead Peer Detection turned on.   It looks like a small glitch in connectivity causes the darn AWS VPN gateway to start DPD detection and once it does, it's a slow downward spiral over a couple of hours with more and more SAs being deleted until it finally deletes the IKE keys and shuts up.  Once that happens, the AWS gateway has to be reset to restore connectivity.

In talking with my CISCO based peers, it seems that they pretty much automatically enable DPD when configuring a VPN.  I think they call it "IKE Keepalives".  This might explain some mysterious behavior I've seen over the years when working with CISCO interoperable devices. 

Anyway, does anyone know of any gotchas when enabling DPD in either passive or active mode?

And what's with all this hidden configuration stuff?  One has to use the registry and edit the database directly using guidbedit or dbedit to set the parameters?  That sucks because it's not transparent to future admins.

For Permanent Tunnel the Default mode is "tunnel_test" (Check Point Proprietary). With GuiDBedit or dbedit you can change the mode to either 'dpd' (Active DPD) or 'passive' (Passive DPD). 

Hmmm.  Both sk108600 and the Site to Site VPN Admin Guide only talk about using ckp_regedit on the gateway to enable DPD responder mode and no other requirements are listed.  That makes it sound like DPD responder mode is universal.  If it still requires a special community and per gateway dbedit to activate, like is mentioned for DPD active mode for permanent tunnels, then that requirement is not apparent from the way the documentation is written.  Perhaps the docs need to be updated?

On our side this occur with all non Checkpoint VPN remote gateway. All of them are saying the same thing. We are normally responding to "dpd are you there" messages, but sometime we stop responding and after all 3rd party tunnel goes down at the same time.

That being said, last week we enable keep_ike_sa on our global configuration following recommendation from checkpoint support, that change did leverage the issue duration, but didn't help with the frequencies of those outage.

Looks like we still stops responding "dpd are you there" message but most of the time we are answering to it. That still cause us issue... We followed SK100726 for tunnel creation with AWS. We put tunnel_keepalive_method = dpd" in GUIDBEdit for the relevent Gateway. We followed sk108600 to enable keep_ike_sa witch reduce the outage lenght. But still having issues.

I'm wondering enabling dpd responder mode "ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 " will help... but i'm not sure since we are already responding dpd... but not always responding.... witch make the tunnel to flap.

Thanks!

The DPD mode should be enabled on the GW which you want to be tested with DPD.

So, in your case DPD should be enabled on the Cisco device object (in guidbedit), which means that all the tunnels to this Cisco device would be monitored with DPD. Other tunnels from your CP device should not be affected as there should be no change on the CP object. This also requires permanent tunnel to be defined between CP and Cisco.

If you do not want to define a permanent tunnel with the peer you can use forceSendDPDPayload parameter in order to force our GW to declare DPD support. Important to mention that it doesn't mean that we will send DPD, it only means that we will declare our support of DPD and peer will be able to send the DPD packets to us and we will reply them.

Regarding keep_IKE_SAs - we recommend to enable it without any relevance to DPD. It should only be disabled in case it is a security requirement in your organization to clear all the tunnels on policy installation. We are even considering to change the default of this setting to be true in the future versions.

As a part of this discussion we are going to review our decisions regarding DPD declaration, proposal and usage to see if default values can be changed to get a better usability with 3rd parties including public cloud vendors.

Just a grain of salt : Permanent tunnels are are nice-to-have thing that looks pretty good - but usually, i just need the traffic flow thru S2S VPN to work ! If the VPN peers are not always helpful, you can always have a server from one site ping a server in another site in regular intervals 😉

Hi Bob,

I think that the best way to work would be to work with permanent tunnel and DPD defined on Cisco object.

Force send DPD is a temporary parameter and would be reworked.

We are already running permanent tunnel and dpd defined on the object (keepalivemethod=dpd) and we are getting the result that we are having right now.

I'm trying to find a way to make it work properly.

Thanks

Already with them since almost 2months on this case and still struggling with the issue. We've now just been sent to escalation engineer will see what's happen.

Thanks

Hello,

So to enable dpd in a community, I only have to enable dpd in the object of the peer gateway and not in my security gateway checkpoint?

That is correct!

Hi @bob81 ,

Would you please update us with the final conclusion of this issue (if you still remember it :))?

our 3rd part uses Generic Linux server, CentOS 6.9 as the gateway