This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mever
Explorer
‎2020-12-16 02:17 PM

Moving from MPLS connection to site to site VPN - VPN goes down a day or so after disconnecting MPLS

Right now all my offices are connected by an MPLS network. I’ve established a site to site VPN and got all the tunnels up, however, during testing if I leave the MPLS disconnected for a day or so, the VPN eventually goes down. The logs show timeout errors and certificate invalid errors.

I’m wondering if it’s trying to verify the certificate across the MPLS maybe? Or if it’s verifying to a point that is only accessible over the MPLS? I guess I don’t understand what it’s doing for verification of the certificate entirely.

I did notice the Security Management Server certificate authority DN seems to reference a server from before my time that we don’t have anymore (I think maybe it was a domain controller once upon a time).

I’ve enabled the VPN debugs but don’t see anything that points out why the certificate is being rejected in the logs.

Any help is greatly appreciated.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2020-12-16 03:09 PM

Yes, this is exactly what is happening.
Gateways need to be able to reach the Certificate Authority to perform CRL checks.
This is the management server (internal CA) or whatever external CA is being used.
If the CA is unavailable for 24 hours, the VPN will go down.

If your management server does not have a public IP and you are using the internal CA, you will probably need to define a static NAT in the management object for that server.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events