This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dgrenfell
Contributor
4 weeks ago
Jump to solution

Has anyone been able to have redundant VPN tunnels with AWS using vti's?

I have 2 site-site VPN tunnels going out to AWS, but I can't seem to force a failover to make sure redundancy is working. We have a cluster of 2 19100 appliances, so I know redundancy would work if we lost a gateway, but for some reason the steps I have taken to force a failover for the tunnels doesn't seem to work. I have performed the following:

- Logged into GAIA and disabled the vti interface (vpnt2 in this case) and pushed policy

- When logged into the active gateway and looking at the tunnel list, I still see the tunnel associated with the vti interface I had disabled still showing connected

- After deleting the SA's for the gateway on the AWS end of this tunnel, it still showed connected, no matter how many times I performed those actions

The vendor on the AWS end said the tunnel never went down, and they were seeing traffic flowing in and out of their server, so that attempt was a bust. I then got CP on a conference call with us and the ONLY way we could get it to "fail over" was to remove the gateway that is associated with the vti from the community. However, the same symptoms were still present (i.e the tunnel still showing connected, etc), but it was when the tunnel negotiation timer ran out that it FINALLY showed disconnected (after pushing policy the AWS side finally went down, but it took approximately 60ish seconds). When we ran fw monitor, we saw that traffic on our end was still trying to send things out the tunnel that was apparently down, so it just broke things, and we had to revert back.

TLDR: Am I missing something here?

Here is my configuration:

- Cluster of 2 19100 CheckPoint appliances running R81.20 with JHF 76

- 2 vti interfaces pointing to their respective AWS gateways, using addressing provided by AWS

- A star community consisting of our cluster as the satellite gateway and the 2 AWS gateways as the center

- Both AWS gateways set with empty groups to facilitate the routed based configuration (instructions provided by AWS and CP TAC)

- Static routes set on both vti's using a priority of 1 and 2 for each gateway (1 being the primary tunnel and 2 being the secondary) so the gateways know which vti to "prefer" to send traffic out

- Directional rules set up in Smart Console to allow the traffic that is to be accepted

The site-site VPN IS working, I just can't seem to perform a forced fail over to go from one tunnel to the other. 

 

Any thoughts? Am I missing anything? Let me know if I need to show or explain anything further. Thanks all!

 

Labels
0 Kudos
56 Replies
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

Fair enough! Not sure if you follow baseball at all, but I see today since Blue Jays made it to world series, Canadians are donating to Seattle childrens hospital, as we beat Seattle Mariners. I did too, Seattle is such an amazing place and that hospital is truly special.

Best,
Andy
0 Kudos
dgrenfell
Contributor
3 weeks ago
In response to the_rock
Jump to solution

See! Even more reason to love Canada. Since I live in Seattle, yeah, I'm aware we lost. Sadly, I wasn't surprised, as every time they get far, they blow it. Oh well. 

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

Team is good, really good, they will do well. Btw, just donated 100$ to the hospital, very happy to do it, AMAZING place.

Best,
Andy
Jesusm
Participant
3 weeks ago
Jump to solution

I had a similar issue to yours. Searching this site, I found a recommendation to set the same time on DPD.
We matched the DPD sign-of-life timeout on both sites (CP cluster and AWS).
After this, both tunnels came up.

You could try this.

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Jesusm
Jump to solution

Was that guidbedit setting?

Best,
Andy
0 Kudos
Jesusm
Participant
3 weeks ago
In response to the_rock
Jump to solution

Hi,

No, it was in global properties> Advanced > VPN Advacend properties > Tunnel Management.

Regards.

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Jesusm
Jump to solution

Thank you!

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Jesusm
Jump to solution

@Jesusm 

Mind attach screenshot of it? I only have access to my phone atm 🙂

Best,
Andy
0 Kudos
Jesusm
Participant
3 weeks ago
In response to the_rock
Jump to solution

Sure.

Screenshot 2025-10-22 115639.png

The parameter is: life sign timeout

 

 

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Jesusm
Jump to solution

Thanks! So what do you have it set to?

Best,
Andy
0 Kudos
Jesusm
Participant
3 weeks ago
In response to the_rock
Jump to solution

I didn't change anything, I kept my default time: 40 seconds.

The other side (AWS) set my time. 

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Jesusm
Jump to solution

Got it!

Best,
Andy
0 Kudos
dgrenfell
Contributor
3 weeks ago
In response to Jesusm
Jump to solution

Cool! I'm checking with AWS to see what they have set on their end. My output looks the same as what you have here. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

Fingers crossed...GOOOO BLUE JAYS, sorry had to say it 🙂

 

Best,
Andy
0 Kudos
dgrenfell
Contributor
3 weeks ago
In response to the_rock
Jump to solution

LOL All good sir!

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

Just remembered my experience at Pink Door restaurant in Seattle...ANGELIC, to be truthful.

 

Best,
Andy
0 Kudos
dgrenfell
Contributor
3 weeks ago
In response to the_rock
Jump to solution

Funny, I still haven't been there yet. Been wanting to take my wife (who has been there before), but always seem to miss out due to bad timing on my part. 

(1)
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

You should, man. It reminds me of typical, original Italian restaurants in Milan, Italy...except, way HIGHER ceiling lol. I remember once in Puglia, I was literally hitting the ceiling haha... I mean, there are people taller than me in this world, but 6'3 height should clear, you would think lol. I highly recommend gnochi...THE BEST

Best,
Andy
0 Kudos
dgrenfell
Contributor
3 weeks ago
In response to the_rock
Jump to solution

Oh man, I just got back from Italy, with Milan being the last city we visited before coming back. Food was great! I'll keep that in mind about PD. I'm on 5'11, but 6'3 is pretty tall!

the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

Good ol' Milan...I always remember Italy as place where NO ONE puts on parking brake, so people can push your car to make parking room LOL

Been like that since 1990s 😉

Best,
Andy
0 Kudos
dgrenfell
Contributor
3 weeks ago
In response to the_rock
Jump to solution

LOL Now that's something! Can't say I experienced that. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to dgrenfell
Jump to solution

I did that once in city of Bari...SHHHHHH, dont tell anyone 😉

Best,
Andy
0 Kudos
dgrenfell
Contributor
a week ago
Jump to solution

Welp, I guess it took upgrading to JHTF 118 to get this failover thing to work. So yay! Ha. Thanks all who chimed in to help me with this, it is greatly appreciated. 

the_rock
MVP Platinum
MVP Platinum
a week ago
In response to dgrenfell
Jump to solution

Excellent, very happy for you! And congrats on the World series...well, I know its not your team, but at least its on west coast lol

I think every canadian here is heart broke, except me LOL. I never even cried as a kid when my team would lose...geesh, if they will give me even 500K, I will fake cry for a week 🤣🤣🤣

Best,
Andy
0 Kudos
dgrenfell
Contributor
a week ago
In response to the_rock
Jump to solution

Thanks Andy! I know my wife is happy the Dodgers won, but I didn't really care, honestly. But I have to say, I really thought the Jays were going win there! They really brought it.

I think I agree, I'd totally fake cry for large amounts of money too!

the_rock
MVP Platinum
MVP Platinum
a week ago
In response to dgrenfell
Jump to solution

It truly showed me why I ALWAYS say (no offense to any nation on the planet), but in my opinion, there is no work culture and effort like Japanese. That pitcher, Yamamoto, they can 100% thank him for winning the championship. I was reading and I saw it with my own eyes when I was in Japan, the way they work and take pride in perfection is unlike you see anywhere else. Guy used to pitch till midnight and watch videos on strike zone and people would find him asleep on the field the next day from exaustion, but he never complained.

Truly unreal...

Best,
Andy
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
a week ago
In response to dgrenfell
Jump to solution

Glad you got it fixed!  Well done!

Be sure to rate any posts you found helpful!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events