Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Saul_Schwartz
Explorer

IPSec Tunnel to AWS VPC - Sporadically drops after Policy Install

I've got a strange, lingering issue. Our R77.30 Gateway has quite a few IPSec Site-to-Site VPN tunnels terminating on it, and a few of them are on AWS. I've played with the settings in the IPSec community and encryption on several of them and still experience the same behavior.

1. The tunnel can be up, operating normally, passing traffic at an acceptable rate.

2. After I install policy to the gateway, *sometimes*, traffic will no longer traverse the tunnel. 

   2a. This is random - I would say 10% of the time, it will happen.

   2b. Pushing policy again fixes it.

Disclaimer - I set up the VPN like i've always done with other sites (external site using ASA, Palo, etc) - using an interoperable device/PSK/IPSec Community. I just recently found this sk:

How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC u... 

Could not using VTI's be my issue? I'll be honest, i'm not familiar with VTI's or MSS clamping or dead peer detection.

2 Replies
PhoneBoy
Admin
Admin

If you're not using VTIs and Dynamic Routing, it's a definite possibility.

It's a bit more reliable to use VTIs when connecting with Amazon's VPN endpoint.

However, if you're going down this path, I recommend upgrading the Security Gateway to R80.10, so you can fully leverage CoreXL when using VTIs (otherwise, CoreXL is disabled when using VTIs, and performance will take a hit).

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I remember a similar issue whose description can be found in  sk116013: NAT fails after policy installation

I suggest to verify if it is the same - then you can get a fix for it from TAC.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events