Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brian_Reynolds
Explorer

Is VPN "dpd_allowed_to_init_ike" only for gateway-to-gateway VPNs?

I just recently turned on DPD and "permanent tunnels" on an R80.20 gateway for a VPN site-to-site to a third-party client gateway. The VPN community is set for subnet-to-subnet rather than gateway-to-gateway.

I changed "tunnel_keepalive_method" to "dpd" for both our gateway object and the client interoperable gateway object in policy, since the other gateway isn't a Check Point.

We just had a DPD event ("TUNNEL STATUS CHANGE: Peer gateway [client gateway ip] has changed status to down") and after the client gateway came back up, the Check Point tried to reestablish the connection but just started looping IKE events with the following error:

"Received notification from peer: Traffic selectors unacceptable MyTSi: <my gateway IP> MyTSr: <client gateway IP>.."

This persisted for hours until somebody finally tried to ping through the tunnel, and then suddenly the connection reestablished with the proper subnet-to-subnet traffic selectors and then everything was back up again.

I guess "dpd_allowed_to_init_ike" needs to be turned off if you're using a subnet-to-subnet VPN? I don't see anything like that mentioned in the manual or in sk108600, though.

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

I recommend engaging the TAC here.

0 Kudos