I dont believe its Cisco side. Here are drops on CP end when issue is happening:

# fw ctl zdebug + drop | grep 205.207.130.253

@;127721520;[cpu_0];[SIM-204987365];sim (vpn_encrypt): drop due vpn_ipsec_encrypt returns PKT_DROP(3), conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127721520;[cpu_0];[SIM-204987365];handle_vpn_encryption: ipsec_encrypt failed: failed to find SA. Dropping packet... conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127721520;[cpu_0];[SIM-204987365];sim_pkt_send_drop_notification: (0,1) received drop, reason: Encryption Failed, conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127721520;[cpu_0];[SIM-204987365];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127721520;[cpu_0];[SIM-204987365];sim_pkt_send_drop_notification: sending single drop notification, conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127721521;[cpu_0];[SIM-204987365];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<172.16.193.243,50846,205.207.130.253,22,6>;
@;127722353;[cpu_0];[SIM-204987365];sim (vpn_encrypt): drop due vpn_ipsec_encrypt returns PKT_DROP(3), conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127722353;[cpu_0];[SIM-204987365];handle_vpn_encryption: ipsec_encrypt failed: failed to find SA. Dropping packet... conn: <172.16.193.243,50846,205.207.130.253,22,6>;
@;127722353;[cpu_

Forgot to mention, we also ended up completely disabling supernet globally AND also per that specific community, same problem.

Hello,

We are experiencing a very similar issue with a VPN to an AWS gateway. Our Checkpoint is running R80.40 take 87. Did you find a fix for this issue?

Thank you. 

As a matter of fact, we did : ). We ended up turning of vpn acceleration for that tunnel...vpn accel off x.x.x.x y.y.y.y (x.x.x.x would be cp external vpn IP and y.y.y.y would be remote peer). Once that was done and policy pushed, it worked. Now, here is the thing...in our case it was fine, since not a lot of traffic through that tunnel, but if thats not the case with your tunnel, maybe disabling vpn acceleration might not be a god idea...just saying. But, either way, worth a try.

Andy

Excellent, I will look at giving that a try. 

Sounds good! Personally, I found acceleration to be problem on CP for the last 15 years and there has never been a solid, logical solution to it, sadly. Anyway, give it a go and see what happens.

I gave that a try but unfortunately it didn't resolve my issue. The tunnel still dropped for a few minutes after the policy had been pushed. Back to the drawing board. I will get a ticket raised with Checkpoint support and see what they suggest.  

If that failed, then you can try fwaccel off as well in conjunction with vpn accel off and see what happens. If that failed as well, then yes, raise a case with TAC.

Andy

Good idea, I will give that a try as well.

If that fails too, Im really sorry brother, Im not a good liar, I got nothing else : (. What I would personally do in that case is go with vpn debug (ike.elg)

vpn debug ikeon

run quick test when issue is there, then turn off the debug (vpn debug ikeoff) and look for ike.elg file in $FWDIR/log directory.

Im happy to do remote over the weekend if you like, not like I do anything else during covid these days anyway, haha. Let me know...you are welcome to message me privately as well.

Andy

Please also review sk142355 in case it is relevant to your scenario.

Im pretty sure he did that already, but let Stuart confirm.

Thanks Andy, That was the first SK I tried but it didn't fix it. I collected some ike, vpnd and tcpdump debugs yesterday but I can't see anything obvious. I will upload them to Checkpoint to see if they can spot anything. 

vpn accel off x.x.x.x helped me also with the same issue altough I dind't see any drops with fw ctl zdebug + drop

i am on R81.10.15